Stay Informed | Legal Updates

Cybersecurity and Infrastructure Security Agency (“CISA”) Proposed Cyber Security Incident Reporting Requirements

September 19, 2024

Overview

On April 4, 2024, CISA[i], an agency under the Department of Homeland Security, released a proposed rule that requires certain covered entities operating in critical infrastructure sectors to report cyber incidents to CISA. CISA issued the rule under the authority provided to it by the Cyber Incident Reporting for Critical Infrastructure Act (“CIRCIA”)[ii]. At this time, CISA has only released a proposed rule and the public comment process closed in July, 2024[iii]. The final rule requiring notification is expected to be published in 2025 and will go into effect in 2026.[iv] When the final rule goes into effect, it will require covered organizations to notify CISA if they experience a “covered cyber incident”[v] or make a ransomware extortion payment.[vi] Under the proposed rule, a covered entity experiencing a covered cyber incident would have seventy-two (72) hours to report a covered cyber incident.[vii] Additionally, a covered entity would have twenty-four (24) hours to report a ransom payment.[viii]

Who Must Report – Covered Entities

The CISA reporting requirements apply to sixteen critical infrastructure sectors and do not include any entities that are considered a “small business” under 13 C.F.R. part 121[ix].[x] The Small Business Administration (“SBA”) classifies businesses based on their industry and size standard determined in either millions of dollars or number of employees. A table to assist a business in determining if they qualify as a small business under the SBA can be found here. The sixteen critical infrastructure sectors that are required to report to CISA include:

(1) Covered chemical facilities under the Chemical Facility Anti-Terrorism Standards pursuant to 6 CFR part 27[xi];

(2) Wire or radio communications service providers such as radio and television broadcasters, cable television operators, satellite operators, telecommunications carriers, submarine cable licensees, fixed and mobile wireless service providers, voice over internet protocol providers, or internet service providers;

(3) Critical manufacturing sector infrastructure entities that engage in primary metal manufacturing, machinery manufacturing, electrical equipment, appliance, and component manufacturing, or transportation equipment manufacturing;

(4) Entities that provide operationally critical support to the Department of Defense or processes, stores, or transmits covered defense information;

(5) Emergency service providers to a population of at least 50,000 individuals and includes law enforcement, fire and rescue services, emergency medical services, emergency management, or public works that contribute to public health and safety;

(6) Bulk electric and distribution system entities;

(7) Financial services entities;

(8) State, local, Tribal, or territorial government entities with populations of at least 50,000 individuals;

(9) Educational facilities;

(10) Entities involved with information and communications technology to support elections processes including voter registration databases, voting systems, and technologies used to report, display, validate, or finalize election results;

(11) Public health-related providers including certain hospitals and drug or device manufacturers;

(12) Information technology entities that (i) provide products or services to the Federal Government, (ii) sells, licenses, or maintains software with certain attributes[xii], (iii) is an original equipment manufacturer, vendor, or integrator of operational technology hardware or software components, or (iv) performs functions related to domain name operations;

(13) Owns or operates a commercial nuclear power reactor or fuel cycle facility;

(14) Transportation system entities;

(15) Entities subject to regulation under the Maritime Transportation Security Act; and

(16) Community water system or publicly owned treatment works owners and/or operators that serve a population of more than 3,300 people.[xiii]

What Must Be Reported

Covered entities must report (1) covered cyber incidents and (2) any ransomware payments made, even if the ransomware attack[xiv] does not qualify as a covered cyber incident.[xv] Covered cyber incident is defined as a substantial cyber incident experienced by a covered entity.

A covered cyber incident is defined as a “substantial cyber incident” experienced by a covered entity.[xvi]

A substantial cyber incident is defined as: (1) a substantial loss of confidentiality, integrity or availability of a covered entity’s information system or network; (2) a serious impact on the safety and resiliency of a covered entity’s operational systems and processes; (3) a disruption of a covered entity’s ability to engage in business or industrial operations, or deliver goods or services; or (4) unauthorized access to a covered entity’s information system or network, or any nonpublic information contained therein, that is facilitated through or caused by a (i) compromise of a cloud service provider, managed service provider, or other third-party data hosting provider or (ii) supply chain compromise.[xvii]

Additionally, a “substantial cyber incident” resulting in the impacts listed above in (1) through (3) includes any cyber incident regardless of cause, including, but not limited to, any of the above incidents caused by (i) a compromise of a cloud service provider, managed service provider, or other third-party data hosting provider; (ii) a supply chain compromise; (iii) a denial-of-service attack; (iv) a ransomware attack; or (v) exploitation of a zero-day vulnerability.[xviii]

The term “substantial cyber incident” does not include: (1) any lawfully authorized activity of a United States Government entity or SLTT[xix] Government entity, including activities undertaken pursuant to a warrant or other judicial process; (2) any event where the cyber incident is perpetrated in good faith by an entity in response to a specific request by the owner or operator of the information system; or (3) the threat of disruption as extortion, as described in 6 U.S.C. 650(22)[xx].[xxi]

 Reporting Deadlines and How to Report

A covered entity experiencing a substantial cyber incident will have seventy-two (72) hours after the covered entity reasonably believes the covered cyber incident has occurred to report an incident. Additionally, a covered entity would have twenty-four (24) hours after the ransom payment has been disbursed to report a ransom payment.[xxii] CISA currently has an online portal where reports can be submitted; however, this portal will likely need to be updated to conform to the reporting required under the rule[xxiii]. Currently, reporting through the CISA online portal is voluntary. When the rule goes into effect in 2026, CISA will have four (4) categories of reporting including a (1) Covered Cyber Incident Report (used to report covered cyber incidents), (2) Ransom Payment Report (used to report ransomware payments), (3) Joint Covered Cyber Incident (used to report both covered cyber incidents and ransomware payments), and (4) Supplemental Reports (used to report incident updates).[xxiv] The proposed rule includes detailed requirements on what information needs to be notified to CISA based on each report type.[xxv]

Moving Forward

Given the short notification deadlines built into the new CISA reporting requirements, it is essential that organizations determine now whether they are a covered entity under the proposed rule and, if so, regularly test their incident response plans in advance of an actual incident so that notifications can be timely and compliant.

Resources

How We Can Help

[i] https://www.cisa.gov/.

[ii] 6 U.S.C. 681-681(g).

[iii] Cybersecurity and Infrastructure Security Agency, DHS, Proposed Rule, Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements, [Docket No. CISA–2022–0010] (“CISA Proposed Rule”), available at: https://www.federalregister.gov/documents/2024/04/04/2024-06526/cyber-incident-reporting-for-critical-infrastructure-act-circia-reporting-requirements.

[iv] See Congressional Research Service, CIRCIA: Notice of Proposed Rule Making: In Brief, (“CISA Rule Summary”) at p. 1, available at: https://crsreports.congress.gov/.

[v] See CISA Proposed Rule at § 226.1.

[vi] CISA Rule Summary at 1.

[vii] See 6 U.S.C. 681b(a)(1)(A); CISA Proposed Rule at §226.5(a).

[viii] See 6 U.S.C. 681b(a)(2)(A); CISA Proposed Rule at §226.5(b).

[ix] See Small Business Size Regulations, https://www.ecfr.gov/current/title-13/chapter-I/part-121.

[x] CISA Proposed Rule at § 226.2(a).

[xi] Department of Homeland Security, chemical facility anti-terrorism standards, 6 CFR Part 27, available at: https://www.ecfr.gov/current/title-6/chapter-I/part-27.

[xii] Must have one of the following attributes: (A) Is designed to run with elevated privilege or manage privileges; (B) Has direct or privileged access to networking or computing resources; (C) Is designed to control access to data or operational technology; (D) Performs a function critical to trust; or (E) Operates outside of normal trust boundaries with privileged access. CISA Proposed Rule at § 226.2(b)(12)(ii).

[xiii] See Id. at § 226.2(b)(1)-(16).

[xiv] CISA defines ransomware attack to mean an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or that actually or imminently jeopardizes, without lawful authority, an information system that involves, but need not be limited to, the following: (1) The use or the threat of use of: (i) Unauthorized or malicious code on an information system; or (ii) Another digital mechanism such as a denial-of-service attack; (2) To interrupt or disrupt the operations of an information system or compromise the confidentiality, availability, or integrity of electronic data stored on, processed by, or transiting an information system; and (3) To extort a ransom payment. (4) Exclusion. A ransomware attack does not include any event where the demand for a ransom payment is: (i) Not genuine; or (ii) Made in good faith by an entity in response to a specific request by the owner or operator of the information system. Id. at § 226.1.

[xv] Id. at § 226.3(a)-(d).

[xvi] Id. at § 226.1.

[xvii] Id.

[xviii] Id.

[xix] State, local, tribal, and territorial (“SLTT”).

[xx] 6 U.S.C. 650(22) refers to the definition of ransomware as above in endnote IV. https://uscode.house.gov/.

[xxi] CISA Proposed Rule at § 226.1.

[xxii] See Id. at § 226.5(a)-(d).

[xxiii] See https://www.cisa.gov/report.

[xxiv] CISA Proposed Rule at § 226.5(a)-(d).

[xxv] See CISA Proposed Rule at § 226.7-11.

Click here to view a downloadable PDF of the legal update.

This Cybersecurity, Data Protection & Privacy Alert is intended to keep readers current on developments in the law and is not intended to be legal advice. If you have any questions, please contact Matthew H. Meade at 412.566.6983 or mmeade@eckertseamans.com, Elizabeth Wilson at 215.851.8497 or ewilson@eckertseamans.com, Gregory Mazmanian at 215-851-8439 or gmazmanian@eckertseamans.com a member of our Cybersecurity, Data Protection & Privacy Practice Groups, or any other attorney at Eckert Seamans with whom you have been working for further information and assistance.

Share This Post

Authors

Matthew H. Meade Photo Pittsburgh

Matthew H. Meade

Member - Pittsburgh

See full bio
Elizabeth Wilson Photo Philadelphia

Elizabeth Wilson

Member - Philadelphia

See full bio
Gregory P. Mazmanian Photo Philadelphia

Gregory P. Mazmanian

Associate - Philadelphia

See full bio