The U.S. Congress has passed a significant new cybersecurity law that will require critical infrastructure entities to report material cybersecurity incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 and 24 hours, respectively. The reporting requirements will cover multiple sectors of the economy, including chemical industry entities, commercial facilities, communications sector entities, critical manufacturing, dams, financial services entities, food and agriculture sector entities, healthcare entities, information technology, energy, and transportation. CISA must promulgate a proposed implementing regulation within 24 months from final enactment date of March 15, 2022, and a final regulation no later than 18 months thereafter. The effective date of the act’s reporting requirements will be set by the final rule.
Background. Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) is intended to provide the federal government with a better understanding of the nation’s cyberthreats and facilitate a coordinated national response to ransomware attacks. The FBI currently provides an avenue for voluntarily sharing information about cyber incidents and estimates that only a quarter of cyber incidents are actually reported to the FBI. Separately, current Department of Homeland Security (DHS) Transportation Security Administration (TSA) directives impose cybersecurity and reporting requirements for designated transportation operators and pipelines. Existing directives require select transportation and pipeline entities to report to CISA, within 24 hours, those cyber events that have the potential to disrupt operations. CIRCIA now provides that federal agencies may enter into agreements regarding the sufficiency of any such existing, substantially similar reporting obligations. When such agreements are in place, the reporting entity is exempt from new reporting requirements imposed by CIRCIA.
Sidley Austin LLP provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship. Readers should not act upon this information without seeking advice from professional advisers.
Attorney Advertising—Sidley Austin LLP, One South Dearborn, Chicago, IL 60603. +1 312 853 7000. Sidley and Sidley Austin refer to Sidley Austin LLP and affiliated partnerships, as explained at www.sidley.com/disclaimer.
© Sidley Austin LLP