On March 15, 2022 the Cybersecurity Incident Reporting for Critical Infrastructure Act of 2022, also known as CIRCIA, was signed into law. For companies that provide critical infrastructure, this Act establishes significant new reporting requirements that apply to ransomware payments and other cybersecurity incidents. Non-compliance of this Act can lead to regulatory enforcement action or criminal prosecution.
Who are the covered entities under CIRCIA?
The following list identifies those operating in a “critical infrastructure sector:”
- Commercial Facilities
- Critical Manufacturing
- Defense Industrial Bases
- Emergency Services
- Financial Services
- Food and Agriculture
- Government Facilities
- Healthcare and Public Health
- Information Technology
- Nuclear Reactors, Materials, and Waste
- Transportation Systems
- Water and Wastewater Systems
*This list addresses companies in a broad range of categories. Currently, there are no limitations in terms of company size or revenue, though this could change with the final rule.
What are the reporting requirements?
For covered entities, CIRCIA has two main reporting obligations: 1. Covered cyber incidents and 2. Ransomware payments.
- 1. Under the Act, covered entities must report covered cyber incidents to the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours whether an entity has actual knowledge of a covered cyber incident or reasonably believes a covered cyber incident has occurred.
While the details of a “covered cyber incident” are to be fully determined with the final rule to be issued under the Act, we understand a covered incident must minimally involve “substantial loss of confidentiality, integrity or availability of an information system or network, or a serious impact on the safety and resiliency of operations systems and processes.”
2. Ransomware payments must be reported to CISA within 24 hours. A payment is defined as “the transmission of any money or other property or asset, including virtual currency, or any portion thereof, which has at any time been delivered as ransom in connection with a ransomware attack.”
When will CIRCIA go into effect?
The effective date will be determined when a final rule is issued. Under the Act, CISA was provided a 24-month time period, from March 15, 2022, to publish a notice of proposed rulemaking. Once published, CISA then has an additional 18 months from the publication date to release a final rule.
For companies who are likely to be subject to CIRCIA, implementing cybersecurity protocols, incident response management and cybersecurity policies and procedures will reduce the burden of compliance in the future, but also manage cybersecurity-risk today.
CyberFin is a cybersecurity Next-Gen MSSP. CyberFin actively manages the systems and data to keep out cyber criminals and provide guidance and tools for staying compliant. We have our own hand-picked tools, proprietary technology and in-house experts managing all of it for our customers. We are a holistic approach to keeping the cyber criminals and fines out of your office. Contact us today to learn more.