Skip to main content


Cyber Incident Reporting for Critical Infrastructure Act of 2022

Cyber Incident Reporting for Critical Infrastructure Act of 2022

On March 15, 2022, President Biden signed the Consolidated Appropriations Act, 2022 (H.R. 2471), which is the fiscal year 2022 omnibus spending bill. Of special interest in the bill is the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (Division Y). While the concept of data breach notification isn’t exactly new, prior legislation has largely been focused on ensuring companies are informing their customers if customer nonpublic personal information (NPI) was compromised. This Act requires a covered entity to report to the Cyber and Infrastructure Security Agency (CISA) “substantial cyber incident experienced by a covered entity that satisfies the definition and criteria established by the Director in the final rule.”


Who is Affected?

While we cannot say with 100% certainty who will be affected by this new rule, the short answer is “any covered entity.” The Director of CISA has, what appears to be, a few years to define what constitutes a covered entity. However, CISA’s current definition of entities considered to be critical infrastructure is as follows:

  • Agriculture and Food
  • Chemical
  • Commercial Facilities
  • Communications
  • Critical Manufacturing
  • Dams
  • Defense Industrial base
  • Emergency Services
  • Energy
  • Financial Services
  • Government Facilities
  • Healthcare and Public Health
  • Information Technology
  • Nuclear Reactors, Materials, and Waste
  • Transportation Systems
  • Water and Wastewater Systems

If your organization is part of one of these entities, it’s safe to assume you’ll likely be affected by this new ruling.


What Needs to be Done?

In short, any covered entity that experiences a substantial cyber incident (which also needs to be defined) must report the incident to CISA within 72 hours. A ransom payment in connection to a ransomware attack must also be reported to CISA within 24 hours of payment. Covered entities will be required to provide supplemental information and preserve data related to the incident as required by the rule.

While the Act provides some information around definitions and processes, the new cyber reporting requirements listed in this Act will not become effective until the CISA issues a "final rule" to define key definitions and requirements. The CISA Director, "in consultation with Sector Risk Management Agencies, the Department of Justice, and other Federal agencies," is required to issue a "notice of proposed rulemaking" within 24 months of the Act's implementation (March 15, 2022), and then issue a final rule within 18 months of the proposed rule. If the entire timeframe is utilized, the requirements under this new Act may be fully implemented on or around September 15, 2025.

Important to note, these reporting requirements mirror the Computer-Security Incident Notification Final Rule (FIL-74-2021) from November 2021. This ruling from the federal banking regulatory agencies takes effect May 1, 2022, and requires “computer security incident notification to its primary federal regulator as soon as possible but not later than 36 hours after a banking organization determines a cyber incident has occurred.” The Notification Rule reporting requirement time is half of the new omnibus bill’s requirements. At this time, it’s highly likely that complying with the Notification Rule will count as compliance with the omnibus requirements as one of its exceptions states that the rule “shall not apply to a covered entity required by law, regulation, or contract to report substantially similar information to another federal agency within a substantially similar timeframe.” While the exemption appears to be hinged on the other federal agency (FDIC, OCC, FED, NCUA) having an information-sharing agreement with CISA, time will tell if the federal banking agencies do.

Financial institutions should already be making incident response policy and plan revisions in order to comply with the requirements of the Notification Rule, so the added definitions and requirements in the omnibus should be largely second nature.


Written by: Cody Delzer, CISA, CDPSE
SVP IS Consultant/Regional Director - SBS CyberSecurity, LLC 


SBS Resources:

  • {Service} Network Security: SBS network security tests are tailored to the size and complexity of your organization, providing a personalized experience from start to finish. Working with an SBS network security engineer following our proven methodologies will ensure thorough and consistent testing results and a more secure network.
  • {Blog} FDIC Incident Notification Rule: The OCC, Board, and FDIC are issuing a final rule that requires a banking organization to notify its primary federal regulator of any “computer-security incident” that rises to the level of a “notification incident,” as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred. 
  • {Article} 50+ Incident Response Preparedness Checklist Items: The #1 question organizations need to ask themselves is, “if someone was in our network, would we be able to tell?” If you are uncertain how to detect an incident on your network, you are certainly not alone. Here’s a primer to get you started.

Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a complete list of certifications.
Certified Banking Incident Handler   

Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Tuesday, March 22, 2022
Categories: Blog