In light of state data breach notification statutes, existing securities disclosure obligations, and other considerations, many companies already have processes in place to evaluate disclosure of cyber incidents. But given the relatively short timeframe that will be available under the Act for reporting certain incidents, this legislation provides additional reason for companies to take the time now to review their cybersecurity response plans and disclosure controls to ensure that they are appropriately designed to enable prompt evaluation and timely disclosure of cyber incidents where required.

Effective Date and Scope of Covered Entities

Under the Act, CISA is required to issue a proposed implementing rule by March 15, 2024 and a final rule 18 months thereafter, which will establish the effective date for the Act.

The Act defines “covered entity” as “an entity in a critical infrastructure sector, as defined in Presidential Policy Directive 21 that satisfies the definition established by [CISA] in the final rule issued pursuant to section 2242(b).”  The Act requires CISA’s definition of “covered entity” to be “based on (A) the consequences that disruption to or compromise of such an entity could cause to national security, economic security, or public health and safety; (B) the likelihood that such an entity may be targeted by a malicious cyber actor, including a foreign country and (C) the extent to which damage, disruption, or unauthorized access to such an entity, including the accessing of sensitive cybersecurity vulnerability information or penetration testing tools or techniques, will likely enable the disruption of the reliable operation of critical infrastructure” as well as the definition set forth in the Homeland Security Act of 2002, codified at 6 U.S.C. 651.[3] However, in light of Presidential Policy Directive 21, companies in the following sectors will be included as a covered entity: Chemical; Commercial Facilities; Communications; Critical Manufacturing; Dams; Defense Industrial Base; Emergency Services; Energy; Financial Services; Food and Agriculture; Government Facilities; Healthcare and Public Health; Information Technology; Nuclear Reactors, Materials, and Waste; Transportation Systems and Water and Wastewater Systems.[4]

The Act will require covered entities, once they reasonably believe that a covered event has occurred, to report the incident within 72 hours.

The Act directs CISA to define a “covered cyber incident.” At a minimum, the definition is required to include an incident that (1) results in a “substantial loss of confidentiality, integrity or availability of the information system or the information the system processes, stores, or transmits”; (2) results in “disruption of business or industrial operations, including due to a denial of service attack, ransomware attack, or exploitation of a zero day vulnerability”; or (3) involves “unauthorized access or disruption of business or industrial operations” due to a “compromise of a cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise.” When defining a covered cyber incident, CISA is also required to consider the sophistication of the attack, the type and volume of information affected, the number of individuals potentially affected, and the impact to systems.  Notably, the Act recognizes that a covered cyber incident “does not include an occurrence that imminently, but not actually, jeopardizes (i) information on information systems or (ii) information systems.”

• A description of the covered cyber incident, including (a) the function of the information systems, networks, or devices that were, or are reasonably believed to have been, impacted by the cyber incident; (b) the unauthorized access; (c) estimated date range of the incident; and (d) the impact to the entity’s operations;
• A description of the vulnerabilities exploited and the security defenses that were in place as well as the tactics, techniques, and procedures used to perpetrate the incident;
• Any identifying or contact information related to each actor reasonably believed to be responsible for the incident; and
• The category or categories of information that were, or are reasonably believed to have been, subject to unauthorized access or acquisition.

With respect to supplemental disclosures, the Act will require that covered entities to “promptly submit to the Agency an update or supplement to a previously submitted covered cyber incident report if substantial new or different information becomes available or if the covered entity makes a ransom payment after submitting a covered cyber incident report . . . until such date that such covered entity notifies the Agency that the covered cyber incident at issue has concluded and has been fully mitigated and resolved.”

Separate Reporting Requirements for Ransomware

The Act includes separate reporting requirements specifically for ransomware payments that are broader than its reporting requirements for cyber incidents. Under the Act, covered entities will be required to report a “ransom payment” within 24 hours of payment, including the date, demand, and amount of payment as well as the payment instructions. In other words, the Act will require reporting of ransom payments that are not associated with incidents that meet the definition of a covered cyber incident. (We note the special considerations and risks associated with ransom demands that might involve sanctioned counties or entities.)

The Act defines “ransom payment” as “the transmission of any money or other property or asset, including virtual currency, or any portion thereof, which has at any time been delivered as ransom in connection with a ransomware attack.” “Ransomware attack” is defined as “an incident that includes the use or threat of use of unauthorized or malicious code on an information system, or the use or threat of use of another digital mechanism such as a denial of service attack, to interrupt or disrupt the operations of an information system or compromise the confidentiality, availability, or integrity of electronic data stored on, processed by, or transiting an information system to extort a demand for a ransom payment.” It does not “include any such event where the demand for payment is (i) not genuine or (ii) made in good faith by an entity in response to a specific request by the owner or operator of the information system.”