Tech & Sourcing @ Morgan Lewis


The US Cybersecurity and Infrastructure Security Agency (CISA) has recently released draft rules that are set to reshape how critical infrastructure companies report cyberattacks to the US government. The rules are designed to improve the country's cybersecurity by making sure cyber incidents are reported quickly and thoroughly. This could help create a clearer understanding of cyber threats and may mitigate against future cyberattacks.

Who Is Affected?

The draft rules cast a wide net, targeting companies that own or operate systems deemed critical infrastructure by the US government, encompassing sectors like healthcare, energy, manufacturing, and financial services. Furthermore, the rules extend to companies with operations that are vital to a sector's functionality, including various service providers.

Note, however, the draft rules provide for some exceptions for small businesses based on the US Small Business Administration’s criteria regarding revenue and employee counts, so companies that believe that they may fall into that category should further explore those specific exceptions to determine whether the rules would be applicable.

What Are the Requirements?

Under these draft rules, companies are mandated to report "substantial" cyberattacks within 72 hours and ransom payments within 24 hours. CISA defines incidents as “substantial” if they involve unauthorized access leading to significant operational downtime or impairments. Minor incidents, such as phishing attempts or unauthorized activities that do not result in significant downtime, for example, are not required to be reported.

Consequences of Noncompliance

The key question that any company subject to these rules may be asking is “what happens if we fail to comply?” CISA has outlined mechanisms to enforce compliance, including administrative penalties for non-reporting entities. For example, CISA can request information via a subpoena to compel disclosure of the cybersecurity incident. Moreover, matters may be referred by CISA to the US Attorney General for civil proceedings if subpoenas are ignored.

Next Steps

The draft rules are now open for a 60-day window for public comment. As reported in the Wall Street Journal, “[c]ompanies have opposed reporting requirements, saying that assessing an attack early on is difficult. They also worry disclosing too many specifics may aid attackers by revealing details of incident-response processes and cyber defenses.” After the 60-day window has closed, CISA will finalize the rules, and for the first time, have a comprehensive set of cybersecurity rules across critical infrastructure sectors.