On March 15, 2022, President Biden signed the Consolidated Appropriations Act, 2022 (H.R. 2471), which is the fiscal year 2022 omnibus spending bill. Of special interest in the bill is the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (Division Y). While the concept of data breach notification isn’t exactly new, prior legislation has largely been focused on ensuring companies are informing their customers if customer nonpublic personal information (NPI) was compromised. This Act requires a covered entity to report to the Cyber and Infrastructure Security Agency (CISA) “substantial cyber incident experienced by a covered entity that satisfies the definition and criteria established by the Director in the final rule.”
Who is Affected?
While we cannot say with 100% certainty who will be affected by this new rule, the short answer is “any covered entity.” The Director of CISA has, what appears to be, a few years to define what constitutes a covered entity. However, CISA’s current definition of entities considered to be critical infrastructure is as follows:
- Agriculture and Food
- Commercial Facilities
- Critical Manufacturing
- Defense Industrial base
- Emergency Services
- Financial Services
- Government Facilities
- Healthcare and Public Health
- Information Technology
- Nuclear Reactors, Materials, and Waste
- Transportation Systems
- Water and Wastewater Systems
If your organization is part of one of these entities, it’s safe to assume you’ll likely be affected by this new ruling.
What Needs to be Done?
In short, any covered entity that experiences a substantial cyber incident (which also needs to be defined) must report the incident to CISA within 72 hours. A ransom payment in connection to a ransomware attack must also be reported to CISA within 24 hours of payment. Covered entities will be required to provide supplemental information and preserve data related to the incident as required by the rule.
While the Act provides some information around definitions and processes, the new cyber reporting requirements listed in this Act will not become effective until the CISA issues a "final rule" to define key definitions and requirements. The CISA Director, "in consultation with Sector Risk Management Agencies, the Department of Justice, and other Federal agencies," is required to issue a "notice of proposed rulemaking" within 24 months of the Act's implementation (March 15, 2022), and then issue a final rule within 18 months of the proposed rule. If the entire timeframe is utilized, the requirements under this new Act may be fully implemented on or around September 15, 2025.
Important to note, these reporting requirements mirror the Computer-Security Incident Notification Final Rule (FIL-74-2021) from November 2021. This ruling from the federal banking regulatory agencies takes effect May 1, 2022, and requires “computer security incident notification to its primary federal regulator as soon as possible but not later than 36 hours after a banking organization determines a cyber incident has occurred.” The Notification Rule reporting requirement time is half of the new omnibus bill’s requirements. At this time, it’s highly likely that complying with the Notification Rule will count as compliance with the omnibus requirements as one of its exceptions states that the rule “shall not apply to a covered entity required by law, regulation, or contract to report substantially similar information to another federal agency within a substantially similar timeframe.” While the exemption appears to be hinged on the other federal agency (FDIC, OCC, FED, NCUA) having an information-sharing agreement with CISA, time will tell if the federal banking agencies do.
Financial institutions should already be making incident response policy and plan revisions in order to comply with the requirements of the Notification Rule, so the added definitions and requirements in the omnibus should be largely second nature.