Recently Enacted Federal Cybersecurity Disclosure Statute Will Significantly Expand Data Breach and Ransomware Reporting Obligations

by Nicholas S. Goldin, Lori E. Lesser, Melanie D. Jolson, and Shanice D. Hinckson

Tucked into the recently enacted 2022 Consolidated Appropriations Act is the Cyber Incident Reporting for Critical Infrastructure Act (the “Act”), which will—once effective—significantly expand the obligation of[1] companies in the energy, communications, financial services and other critical infrastructure sectors to report a range of cyberattacks and ransomware payments. This broad-based federal cyber incident reporting requirement comes on the heels of cyber disclosure rules recently proposed by the Securities and Exchange Commission for public companies.[2]

In light of state data breach notification statutes, existing securities disclosure obligations, and other considerations, many companies already have processes in place to evaluate disclosure of cyber incidents. But given the relatively short timeframe that will be available under the Act for reporting certain incidents, this legislation provides additional reason for companies to take the time now to review their cybersecurity response plans and disclosure controls to ensure that they are appropriately designed to enable prompt evaluation and timely disclosure of cyber incidents where required.

Effective Date and Scope of Covered Entities

Under the Act, CISA is required to issue a proposed implementing rule by March 15, 2024 and a final rule 18 months thereafter, which will establish the effective date for the Act.

The Act defines “covered entity” as “an entity in a critical infrastructure sector, as defined in Presidential Policy Directive 21 that satisfies the definition established by [CISA] in the final rule issued pursuant to section 2242(b).”  The Act requires CISA’s definition of “covered entity” to be “based on (A) the consequences that disruption to or compromise of such an entity could cause to national security, economic security, or public health and safety; (B) the likelihood that such an entity may be targeted by a malicious cyber actor, including a foreign country and (C) the extent to which damage, disruption, or unauthorized access to such an entity, including the accessing of sensitive cybersecurity vulnerability information or penetration testing tools or techniques, will likely enable the disruption of the reliable operation of critical infrastructure” as well as the definition set forth in the Homeland Security Act of 2002, codified at 6 U.S.C. 651.[3] However, in light of Presidential Policy Directive 21, companies in the following sectors will be included as a covered entity: Chemical; Commercial Facilities; Communications; Critical Manufacturing; Dams; Defense Industrial Base; Emergency Services; Energy; Financial Services; Food and Agriculture; Government Facilities; Healthcare and Public Health; Information Technology; Nuclear Reactors, Materials, and Waste; Transportation Systems and Water and Wastewater Systems.[4]

Reporting Requirements

The Act will require covered entities, once they reasonably believe that a covered event has occurred, to report the incident within 72 hours.

The Act directs CISA to define a “covered cyber incident.” At a minimum, the definition is required to include an incident that (1) results in a “substantial loss of confidentiality, integrity or availability of the information system or the information the system processes, stores, or transmits”; (2) results in “disruption of business or industrial operations, including due to a denial of service attack, ransomware attack, or exploitation of a zero day vulnerability”; or (3) involves “unauthorized access or disruption of business or industrial operations” due to a “compromise of a cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise.” When defining a covered cyber incident, CISA is also required to consider the sophistication of the attack, the type and volume of information affected, the number of individuals potentially affected, and the impact to systems.  Notably, the Act recognizes that a covered cyber incident “does not include an occurrence that imminently, but not actually, jeopardizes (i) information on information systems or (ii) information systems.”

A covered entity will be required to report a covered cyber incident when it “reasonably believes that a covered cyber incident has occurred.” The Act does not define what constitutes a “reasonable” belief. If such a reasonable belief exists, however, the initial disclosure to CISA will need to include the following:

 
  • A description of the covered cyber incident, including (a) the function of the information systems, networks, or devices that were, or are reasonably believed to have been, impacted by the cyber incident; (b) the unauthorized access; (c) estimated date range of the incident; and (d) the impact to the entity’s operations;
  • A description of the vulnerabilities exploited and the security defenses that were in place as well as the tactics, techniques, and procedures used to perpetrate the incident;
  • Any identifying or contact information related to each actor reasonably believed to be responsible for the incident; and
  • The category or categories of information that were, or are reasonably believed to have been, subject to unauthorized access or acquisition.

With respect to supplemental disclosures, the Act will require that covered entities to “promptly submit to the Agency an update or supplement to a previously submitted covered cyber incident report if substantial new or different information becomes available or if the covered entity makes a ransom payment after submitting a covered cyber incident report . . . until such date that such covered entity notifies the Agency that the covered cyber incident at issue has concluded and has been fully mitigated and resolved.”

Separate Reporting Requirements for Ransomware

The Act includes separate reporting requirements specifically for ransomware payments that are broader than its reporting requirements for cyber incidents. Under the Act, covered entities will be required to report a “ransom payment” within 24 hours of payment, including the date, demand, and amount of payment as well as the payment instructions. In other words, the Act will require reporting of ransom payments that are not associated with incidents that meet the definition of a covered cyber incident. (We note the special considerations and risks associated with ransom demands that might involve sanctioned counties or entities.)

The Act defines “ransom payment” as “the transmission of any money or other property or asset, including virtual currency, or any portion thereof, which has at any time been delivered as ransom in connection with a ransomware attack.” “Ransomware attack” is defined as “an incident that includes the use or threat of use of unauthorized or malicious code on an information system, or the use or threat of use of another digital mechanism such as a denial of service attack, to interrupt or disrupt the operations of an information system or compromise the confidentiality, availability, or integrity of electronic data stored on, processed by, or transiting an information system to extort a demand for a ransom payment.” It does not “include any such event where the demand for payment is (i) not genuine or (ii) made in good faith by an entity in response to a specific request by the owner or operator of the information system.”

Footnotes

[1] See Consolidated Appropriations Act, 2022 Division Y- Cyber Incident Reporting For Critical Infrastructure Act of 2022 (PDF: 4.4 MB).

[2] See Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (PDF: 876 KB) as well as Public Company Cybersecurity Fact Sheet (PDF: 282 KB).

[3] See Homeland Security Act 2002, 6 U.S.C. 651 (The term “incident” means “an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system”).

[4] See President Policy Directive 21.

Nicholas S. Goldin and Lori E. Lesser are partners, and Melanie D. Jolson and Shanice D. Hinckson are associates, at Simpson Thacher & Bartlett LLP.

Disclaimer

The views, opinions and positions expressed within all posts are those of the authors alone and do not represent those of the Program on Corporate Compliance and Enforcement or of New York University School of Law.  The accuracy, completeness and validity of any statements made within this article are not guaranteed.  We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the authors and any liability with regards to infringement of intellectual property rights remains with them.