As you may be aware, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 was signed into law recently. Generally, the Cyber Incident Reporting Act states that covered entities will be required to report a cyber incident within 72 hours of it occurring. Additionally, a covered entity must report paying a ransom, due to a ransomware attack, no later than 24 hours after the payment has been made.

However, the Cyber Incident Reporting Act states that CISA, DOJ, and other Federal agencies will need to publish a Notice of Proposed Rulemaking within 24 months. Once the Notice has been published, they will have 18 months to issue a final rule to implement the reporting of cyber incidents. Meaning, covered entities are not required to report prior to the final rule being issued. BlueOrange will continue to monitor the progression of the Cyber Incident Reporting Act and when reporting will be required.

In the meantime, here are some key points from the Cyber Incident Reporting Act as it stands:

  • The purpose of the Act is to track cyber incident trends to have a better understanding of:
    • Security control effectiveness
    • Tactics and techniques used by threat actors
    • The potential impact of cyber incidents on public health and safety
  • Gathering cyber incident activity will allow for:
    • Better and more accurate reporting
    • Timely alerts to warn covered entities of potential threats
    • Release mitigation steps for current cyber incident trends
  • Rules of Reporting:
    • A covered entity is required to report a covered cyber incident to the Agency no later than 72 hours after the incident has occurred
      • What constitutes as a covered cyber incident has not yet been determined but will be defined in the final rule but will minimally include
        • An incident that leads to substantial loss of confidentiality, integrity and availability of an information system or network
        • A disruption of operations due to a denial-of-service attack, ransomware attack, or exploitation of a zero day vulnerability
        • A disruption of operations due to loss of service facilitated through a compromise of a cloud service provider, managed service provider, third-party data hosting provider or supply chain compromise
    • If a ransom payment is made, due to a ransomware attack, it must be reported within 24 hours of making the payment
    • The ransom payment and cyber incident can be reported together if it is within the 72-hour threshold
    • The covered entity will need to submit updates on the reported incident if new or different information becomes available
    • The final rule will outline how long the covered entity will be required to retain information regarding the incident and investigation