Cybersecurity Incidents and Ransomware Attacks: Cybersecurity and Infrastructure Security Agency (CISA) Proposes Reporting Rule | Orrick, Herrington & Sutcliffe LLP
The Cybersecurity and Infrastructure Security Agency (CISA), a division of the Department of Homeland Security, has proposed a rule that would govern whether, when, and how companies in critical infrastructure sectors report cybersecurity incidents and ransomware payments.
The Proposed Rule would require covered entities to report certain cyber incidents to CISA no later than 72 hours after the entity reasonably believes the incident occurred, and ransom payments within 24 hours of payment. The Proposed Rule also:
- Establishes the criteria for what constitutes a covered entity (as provided in further detail below).
- Details the types of cybersecurity incidents entities must report, as well as the content of those reports.
- Sets reporting deadlines and exceptions.
- Implements data retention requirements for reports and the underlying incidents.
- Outlines CISA’s authority to bring enforcement actions (through subpoenas and referrals to the U.S. Attorney General’s Office).
- Spells out rules for CISA sharing cybersecurity incident reports with other federal departments and agencies in response to FOIA requests and civil litigation.
The Proposed Rule implements reporting requirements under Section 2242 of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). CISA says reporting will enhance its “ability to identify trends and track cyber threat activity across the cyber threat landscape . . . .”
Companies and individuals can submit comments on the proposal to CISA by June 3. CISA is required to issue a final rule within 18 months of publication of the Proposed Rule, or by October 4, 2025.
Who is Covered?
Presidential Policy Directive 21 established 16 critical infrastructure sectors, including chemical, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, healthcare and public health, information technology, nuclear reactors (materials and waste), transportation systems, and water and wastewater systems.
Each sector had a plan that outlined critical functions in that sector. The sector-specific plan outlined guidelines for the types of industries included in the sector but did not provide definitive criteria on how a business would determine whether it is, in fact, a critical infrastructure.
The Proposed Rule adds some clarity by specifying an entity in a critical infrastructure sector would be covered if it exceeds the “small business” size under the North American Industry Classification System or if it operates under one or more enumerated sector-based criteria, including but not limited to:
- Owns or operates a covered chemical facility.
- Provides wire or radio communications service.
- Owns or operates critical manufacturing sector infrastructure, including metal, machinery, electrical and appliance, and transportation equipment.
- Provides operationally critical support to the Department of Defense or processes, stores, or transmits covered defense information, including companies covered under DFARS.
- Owns or operates financial services sector infrastructure. This includes entities regulated by the OCC, FRB, NCUA, FDIC, CFTC, and SEC, as well as money services businesses, and certain government-sponsored enterprises.
- Qualifies as an education facility, including higher education facilities and local education and state agencies with student populations of 1,000 or more.
- Provides essential public health-related services, including hospitals and, some drug and medical device manufacturers.
- Owns or operates a commercial nuclear power reactor or fuel cycle facility.
- Owns or operates a qualifying community water system or publicly-owned treatment works.
- Is a transportation system or bulk electric and distribution system entity, including those required to report incidents under NERC rules.
- Is an information technology entity, including those offering services to the federal government, providers of critical software (as defined by NIST), domain name operators, and providers of operational technology (OT) and OT software components.
- Is involved with information and communications technology supporting election processes.
It is important to note that some enumerated sectors remain vague, such as entities that own or operate financial services sector infrastructure and information technology entities. As such, the Proposed Rule may cover a variety of businesses, large and small, given the breadth of the definition of “covered entity.”
What Types of Incidents are Covered?
The Proposed Rule covers “substantial cyber incidents,” including those that result in:
- A substantial loss of confidentiality, integrity, or availability of a covered entity’s information system or network.
- A serious impact on the safety and resiliency of a covered entity’s operational systems and processes.
- A disruption of a covered entity’s ability to engage in business or industrial operations, or deliver goods or services.
- Unauthorized access to a covered entity’s information system or network.
The Proposed Rule expands third-party provider reporting on incidents that cause any of the effects above, including those caused through the compromise of a cloud service provider, managed service provider, or other third-party data hosting provider.
The Proposed Rule also covers “ransomware payments” as a result of a ransomware attack, which includes any occurrence that actually or imminently jeopardizes the confidentiality, integrity, or availability of information on an information system, or that actually or imminently jeopardized an information system through methods such as the threat or use of unauthorized or malicious code or denial of services attack, which disrupts any information or compromises data to extort a ransom payment.
What are the Timelines for Reporting?
The Proposed Rule imposes deadlines to report incidents:
- Covered cyber incidents must be reported no later than 72 hours after the covered entity reasonably believes the incident occurred.
- Ransom payments must be reported no later than 24 hours after the payment has been disbursed.
- Joint incident and ransom payments (where ransom payment is made within 72 hours after incident has occurred) must be reported within 72 hours after the covered entity reasonably believes the incident occurred.
- Supplemental reports must be submitted promptly. If a supplemental report is made regarding a ransom payment after the covered entity has submitted the covered cyber incident report, the covered entity must submit the supplemental report no later than 24 hours after the ransom payment has been disbursed.
The Proposed Rule establishes other reporting requirements and guidelines, including:
- Entities must submit reports via a web-based CISA reporting form.
- Third parties may submit reports on behalf of covered entities.
- Reports must contain contact information for the submitter/covered entity, information concerning the incident/cyber-attack, and, if applicable, attestation by the third party submitting the report.
What Goes Into a Report?
For cyber incidents and ransomware payments, a covered entity must report:
- A description of the incident or ransomware attack, including pertinent technical details and incident timeline.
- A description of any vulnerabilities exploited.
- A description of the covered entity’s cybersecurity defenses.
- Any indicators of compromise observed in connection with the incident.
- A description of mitigation and response activities taken in response to the incident.
A covered entity reporting a cybersecurity incident also must disclose the category or categories of information the threat actor accessed or acquired.
For ransomware payments, the covered entity also must report:
- A description of the tactics, techniques, and procedures used to perpetrate the ransomware attack.
- A description of the ransom instructions and payment details.
- Outcomes associated with making the ransom payment.
If a covered entity experiences a cybersecurity incident and makes a ransom payment within 72 hours of discovering the incident, the entity may file a joint report consisting of all available required information.
If the covered entity makes a payment after 72 hours, the additional report is deemed to be a supplemental report.
What Other Obligations Apply?
The proposed rule requires covered entities to preserve records relating to the incident and ransom payments in their original format or form for at least two years from the date that the information is submitted to CISA. These records include, among other things, communications with the threat actor, log entries, forensic reports, network data, and information about exfiltrated data.
Covered entities may also be required to respond to subpoena requests from CISA for additional information. If CISA believes a business submitted materially false or fraudulent information, the CISA director may refer the matter to the Attorney General or other federal authorities for civil or criminal enforcement.
Other Considerations
Many covered entities already have obligations to report incidents to sector-based regulators. The proposed rule includes a reporting exemption for them as long as an interagency agreement exists between the agency and CISA. At this time, there are no such interagency agreements in place. It is unknown how the interagency agreement process will mature over the next few years, and whether such submission would have similar protections to the information sharing restrictions provided under the Proposed Rule, including applicable non-waiver of privilege, protection from FOIA, and evidentiary and discovery bars for reports in connection with litigation.
Additionally, since third parties are authorized to report on behalf of a covered entity, there is potential that the process is more streamlined for supply chain compromises and other third party incidents that impact multiple covered entities.
What Should Companies Consider Doing?
Here are steps potentially covered entities should consider taking, particularly in the financial services, information technology, and healthcare sectors:
- Determine if the company meets the definition of a “covered entity.”
- Update incident response, disaster recovery, and business continuity plans to align with CISA’s reporting requirements and mechanisms.
- Develop or update a ransomware playbook that includes safeguards for avoiding OFAC violations.
- Prepare for the possibility of increased analysis and review.
- The Proposed Rule envisions requirements that would require an increased forensic analysis and investigation.
- It also expands the scope of incidents deemed reportable, including denial of service attacks.
More Tips for Covered Entities
The biggest anticipated challenge for many businesses – particularly in the areas of financial services, information technology, and healthcare – is determining whether they meet the definition of a “covered entity.”
Financial services companies should determine whether their activities fall into the sector-specific descriptions of “critical financial functions”. That includes providers of:
- Deposit, consumer credit, and payment systems products.
- Credit and liquidity products.
- Investment products.
- Risk transfer products.
If a financial services company does not fall into the categories under any critical financial function (or is a small business), it must then determine whether it falls into any enumerated function, including whether the company is a money services business.
Information technology companies must consider whether they fall into sector-specific descriptions of critical functions in the information technology space. That includes providers of:
- IT products and services.
- Domain name resolution.
- Internet-based content, information, and communications services.
- Providers of IP routing, access, and connection.
- Incident management capabilities.
If an IT company does not fall into such categories (or is a small business), it must then determine whether it provides “critical software” technologies or OT. If neither applies, the company should determine whether it has sold or plans to sell services to the federal government.
Healthcare entities must consider whether they fall into the sector-specific descriptions of critical functions in the healthcare space, which include:
- Direct patient care (e.g., hospitals, urgent care clinics, doctors, and dentists).
- Health information technology.
- Medical research institutions.
- Medical record system vendors.
- Health insurance companies (including health plan providers and payers).
- Local and state health departments.
- Mass fatality management capabilities (including cemeteries, blood banks, crematoriums, morgues, forensic examiners, psychological support groups, and funeral homes).
- Pharmaceutical and other medical supply manufacturers and distributors.
- Medical laboratories.
- Drug store chains.
- Medical supply and device manufacturers.
If a health care entity does not fall into such categories (or is a small business), it must then determine whether it is a hospital with 100 or more beds or a critical access hospital, or whether it manufactures drugs listed in Appendix A of the Essential Medicines Supply Chain and Manufacturing Resilience Assessment or a Class II or Class III device.
Some companies may also be subject to the Rule due to a small portion of its business. The Proposed Rule covers any company required to report cyber incidents to the Department of Defense under DFARS Rule 252.204-7012. This requirement potentially encompasses a variety of small businesses, including consulting firms, where only a small percentage of work is derived from government contractors.