A major shift in cybersecurity regulation is on its way for organizations that support America’s most vital industries. Beginning in 2025, critical infrastructure entities will be required to report cybersecurity incidents and ransomware payments to America’s cyber defense agency, the Cybersecurity and Infrastructure Security Agency (CISA). The goal? To enable the security community to stay informed and ahead of evolving threats and empower the CISA to quickly deliver support to cyber-attack victims.
These new rules come after the passage of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) in 2022, which aimed to strengthen America’s cyber defenses through better transparency, collaboration and monitoring of the cyber threat landscape. While the precise terms and language of the new regulations have not been finalized, the gist is this: Covered entities will soon have just 72 hours to report significant cyber incidents to the CISA and 24 hours to disclose ransomware payments.
The public has until July 3, 2024, to submit comments on the proposal, at which time the CISA will begin developing the Final Rule. While we wait for this pending date, here are three key items organizations need to know about CIRCIA today.
1. Who Will CIRCIA Impact?
While the CISA has opted for a broad definition of what constitutes a critical infrastructure entity, organizations covered by CIRCIA can be categorized into two groups:
- Any organization (excluding small businesses) that operates in one of 16 identified critical infrastructure sectors as defined by the CISA — including industries like transportation, food and agriculture, financial services and more.
- Organizations that meet one or more of 16 sector-specific criteria — such as those who own or operate certain types of facilities or provide critical services to the public. Note: If any part of your operations meets these criteria, your entire organization will be required to report under CIRCIA, no matter your primary industry.
If you’re unsure whether your organization will be subject to reporting under CIRCIA, you can use this in-depth decision tree from the CISA to find out.
2. What Are Entities Required to Report?
Organizations today are constantly inundated with cyber threats ranging from phishing emails to malware-infected links and more. While problematic, these events are unlikely to pose a real threat to critical infrastructure. That’s why CIRCIA only requires reporting of substantial cyber incidents, including those that result in:
- Substantial loss of confidentiality, integrity or availability of an information system or network
- Serious impact to safety and resilience of systems and processes
- Prolonged or significant disruption of operations
- Unauthorized access to an information system or network via a third-party — such as a cloud service provider
3. Why Is CIRCIA Important?
According to a recent cybersecurity survey, 70% of cybersecurity professionals globally feel their organization is at risk of a material cyber-attack in the next 12 months, yet only 57% feel that their organization is prepared to respond to one. Tracking the actual prevenance of cyber-attacks, particularly those targeting large organizations, has so far been a challenge for researchers due to the fear of stigma among affected companies. The hope of CIRCIA is that, by creating an outlet for timely, confidential reporting, the CISA will be better equipped to render assistance, track evolving threats and prevent others from falling victim to similar attacks.
The CISA has repeatedly emphasized that the goal of CIRCIA is not to shame or punish the victims of cyber-attacks — in fact, information submitted under CIRCIA is prohibited from use for regulatory enforcement purposes. However, that’s not to say companies shouldn’t take CIRCIA seriously, as failure to comply with reporting rules could result in subpoena or suspension or debarment from government contracts. Plus, information obtained via subpoena will not be exempt from regulatory action, Freedom of Information Act (FOIA) requests or receive any other protections associated with CIRCIA reports. That’s why it is crucial that covered organizations ensure they have a firm understanding of these new regulations and a plan in place to maintain compliance.
Have Questions? We’ve Got You Covered.
Keeping up with ever-changing compliance rules can be a daunting task, but we’re here to help. Our team of cybersecurity, compliance and risk advisory experts can help unpack the impacts of CIRCIA for your organization, answer questions and guide you as you navigate the changes ahead. Reach out to a member of our team to start a conversation today.
- Gina Gondron, IT Risk & Compliance Partner: gina.gondron@frazierdeeter.com
- Brandon Sherman, Cyber Advisory Partner: brandon.sherman@frazierdeeter.com
- Shelby Nelson, SOC National Practice Partner: shelby.nelson@frazierdeeter.com