On March 15, 2022 the Cybersecurity Incident Reporting for Critical Infrastructure Act of 2022, also known as CIRCIA, was signed into law. For companies that provide critical infrastructure, this Act establishes significant new reporting requirements that apply to ransomware payments and other cybersecurity incidents. Non-compliance of this Act can lead to regulatory enforcement action or criminal prosecution.
The following list identifies those operating in a “critical infrastructure sector:”
*This list addresses companies in a broad range of categories. Currently, there are no limitations in terms of company size or revenue, though this could change with the final rule.
For covered entities, CIRCIA has two main reporting obligations: 1. Covered cyber incidents and 2. Ransomware payments.
While the details of a “covered cyber incident” are to be fully determined with the final rule to be issued under the Act, we understand a covered incident must minimally involve “substantial loss of confidentiality, integrity or availability of an information system or network, or a serious impact on the safety and resiliency of operations systems and processes.”
2. Ransomware payments must be reported to CISA within 24 hours. A payment is defined as “the transmission of any money or other property or asset, including virtual currency, or any portion thereof, which has at any time been delivered as ransom in connection with a ransomware attack.”
The effective date will be determined when a final rule is issued. Under the Act, CISA was provided a 24-month time period, from March 15, 2022, to publish a notice of proposed rulemaking. Once published, CISA then has an additional 18 months from the publication date to release a final rule.
For companies who are likely to be subject to CIRCIA, implementing cybersecurity protocols, incident response management and cybersecurity policies and procedures will reduce the burden of compliance in the future, but also manage cybersecurity-risk today.
For more information on CIRCIA, visit the CISA website or view their information sheet.
CyberFin is a cybersecurity Next-Gen MSSP. CyberFin actively manages the systems and data to keep out cyber criminals and provide guidance and tools for staying compliant. We have our own hand-picked tools, proprietary technology and in-house experts managing all of it for our customers. We are a holistic approach to keeping the cyber criminals and fines out of your office. Contact us today to learn more.