US President Biden signs cyber incident reporting for Critical Infrastructure Act into law

The Cyber Incident Reporting Act introduces new cybersecurity reporting requirements that will apply to businesses in almost every major sector of the economy.

The Cyber Incident Reporting Act imposes four primary reporting and related requirements on “covered entities” in the event of a “covered cyber incident” or a ransomware payment:

  1. An entity that experiences a cyber incident must report that incident to CISA no later than 72 hours after it reasonably believes that the incident occurred;
  2. An entity that makes a ransom payment as the result of a ransomware attack, must report the payment to CISA not later than 24 hours after the ransom payment has been made;
  3. An entity must “promptly” submit to CISA an update or supplement to a previously submitted covered cyber incident report if “substantial new or different information becomes available”;
  4. An entity must preserve data relevant to the cyber incident or ransom payment.
The Cyber Incident Reporting Act delegates to CISA to define “covered entity” in future rulemaking from among entities of the sixteen critical infrastructure sectors identified by the Act, including “Healthcare and “Public Health” as well as sectors covering broad segments of business such as “Commercial Facilities,” “Communications,” “Financial Services,” “Critical Manufacturing,” “Energy,” “Information Technology,” and “Transportation Systems” among others.

The Consolidated Appropriations Act, 2022
The JD Supra Article