Division Y – Cyber Incident Reporting for Critical Infrastructure Act of 2022 was signed into law by President Biden on March 15. Highlights of the Act include:
- Requiring the Director of the Cybersecurity and Infrastructure Agency to create regulations requiring covered entities that pertain to critical infrastructure of the United States to report within 72 hours certain types of significant security incidents to the Agency.
- Requiring reports of any ransomware payments within 24 hours of making the payment.
- Creating a process for voluntary reporting of less significant incidents which do not fall into the required category, but which would improve the situational awareness of cyber threats. Under this law, the Agency investigatory can exercise power, including the ability to issue subpoenas and refer the matter to the Attorney General to commence civil litigation if it believes it has not received a mandatory report.
Implications of Act
It is difficult to determine all the implications of this Act until the regulations are published. Under the act, the draft regulation are due no later than March 15, 2024 and the final rules are due no later than 18 months after the publication of the draft rules. So, the outside date for this regulation to go into effect is September 15, 2025. That said, it will likely happen sooner. Some of the issues organizations will need to consider are:
- Will they be considered a covered entity under this regulation? Under Presidential Policy Directive 21, the regulation will likely apply to organizations in the following sectors:
- Commercial Facilities
- Critical Manufacturing
- Defense Industrial Base
- Emergency Services
- Financial Services
- Food and Agriculture
- Healthcare and public health
- Information Technology
- Nuclear Reactors, Materials and Waste
- Transportation Systems
- Water and Wastewater Systems
- What are the regulatory implications of making a report under this Act? For instance, will the reporting to this Agency trigger reporting to any other regulators or entities or will it trigger a contractual reporting obligation to any customers. How will this affect the timing of these reports?
- How will this impact any reporting requirements a covered entity has established with its vendors or other providers in its supply chain; as the division between one company and another grows blurry with so much data now located in the “cloud”?
- How can internal policies and procedures be updated to ensure proper and timely reporting of required events?
Since no regulation currently exists, there is nothing an organization needs to undertake to comply with this Act. However, if your organization is likely to be a covered entity under the regulation, there are some steps that are worth taking now to minimize hardships later. These are:
- Identify all service agreements with essential parts of the supply chain and ensure that either a timely reporting requirement exists; or start the process of amending these agreements to provide for one.
- Review with counsel all events that trigger reporting to any regulator or the general public and whether a report under this act would create a new or different obligation to report an incident.
- Review your incident reporting process and incident investigative process with counsel to ensure that it is protected by privilege. For instance, there is a growing body of case law that only applies the Attorney Client Communication and Work Product privilege to work performed by a forensic team retained by legal. If the IT consulting group is one that routinely works with the organization, their reports and findings may not be privileged. Any loss of privilege could be quite significant as many regulations impose a duty to protect the confidentiality, integrity and availability of certain information and the forensic reports could be critical of those efforts. Thus, if not protected, they could prove to be an additional source of liability or basis for a regulatory fine.
- Make your different business units aware of this Act to identify any impact it may have on the organization. If they are substantial, consider lending a voice to regulation drafting process to try and mitigate any negative effect of the law.
If you are concerned about how this law might affect your organization, please contact Dawn Russell, Alan Winchester, or the attorney with whom you consult at Harris Beach.
This alert is not a substitute for advice of counsel on specific legal issues.
Harris Beach has offices throughout New York state, including Albany, Buffalo, Ithaca, New York City, Rochester, Saratoga Springs, Syracuse, Uniondale and White Plains, as well as Washington D.C., New Haven, Connecticut and Newark, New Jersey.