Biden Signs Cyber Incident Reporting Act, Covering Businesses in Many Sectors

President Joseph R. Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (Cyber Incident Reporting Act or “the Act”) as a part of the 2022 Consolidated Appropriations Act on March 15. The Act introduces new requirements for reporting various breaches in cybersecurity. In addition, it requires businesses to report ransom payments related to such breaches. Undoubtedly, the Act affects businesses in every sector, including health care, transportation, and finance. Passage of the Act follows the administration’s renewed focus on cybersecurity. Indeed, the U.S. Department of Justice (DOJ) previously announced a plan to combat cyber threats related to cryptocurrency.

Who Does the Act Cover?

The Presidential Policy Directive 21 (the PPD) identifies 16 critical infrastructure sectors that the Cyber Incident Reporting Act covers. A few notable sectors include:

• Critical manufacturing
• Communications
• Emergency services
• Government facilities
• Health care and public health
• Transportation

According to the PPD, these defined 16 critical infrastructure sectors provide “essential services that underpin American society.” The current threats to cybersecurity necessitate coordinated efforts to “strengthen and maintain secure, functioning, and resilient critical infrastructure.”

What Does the Cyber Incident Reporting Act Do?

Under the Act, “covered entities” within the aforementioned sectors must follow four reporting requirements after a “covered cyber incident” or a ransomware payment occurs. In detail, these covered entities will need to:

1. Report a “substantial” covered incident to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours. The timeframe relies on an entity’s reasonable belief of when an incident occurred. Specifically, reports should include details of the affected information systems or networks, as well as the impact on the entity.
2. Promptly report ransom payments as part of a ransomware attack within 24 hours of making the payment.
3. Update their previous reports as “substantial new or different information” becomes available until the incident is resolved.
4. Preserve relevant data on the cyber incident or ransom payment.

Oversight and Compliance

The Act requires CISA to define the specific scope and application of the Act. Additionally, CISA may develop related details for implementing the Act. The Act tasks CISA with issuing a proposed rule containing such details within 24 months of its passage. After that, CISA will issue its final rule within 18 months of the proposed rule. After that point, the new law will take effect. Businesses operating within the defined critical infrastructure sectors should monitor CISA’s anticipated rulemaking. Future rules will detail how the law will apply to businesses and the steps they must take to comply. Accordingly, the CISA director may issue subpoenas to address non-compliant businesses. Finally, organizations that fail to comply may be held in contempt of court or be subject to criminal prosecution.

Cybersecurity Awareness Training

Presently, many laws require businesses to take reasonable steps to protect personal information collected from customers, employees, or job applicants. Given that, all employees must know the common workplace cybersecurity threats and recognize what protections are available against cyberattacks. To assist employers, Personnel Concepts has developed an online, interactive Cybersecurity Awareness Training Program. With this resource, businesses of any size and industry can train employees on keeping personal information safe.