Entities in the energy industry are subject to a vast amount of reporting regulations. Earlier this year, the US Securities and Exchange Commission (SEC) finalized rules regarding the disclosure of cybersecurity attacks, adding another layer of reporting for energy companies. However, prior to that, Congress passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which established further reporting requirements specific to certain covered entities, but also created a new council tasked with harmonizing federal incident reporting requirements.
On July 26, 2023, the SEC adopted final rules and amendments (the Final Rules) for mandating disclosure regarding cybersecurity risk management, strategy, governance, and incident reporting. Effective September 5, 2023, the rules require real-time disclosure of material cybersecurity incidents, as well as ongoing disclosure regarding a company’s cybersecurity risk management, strategy, and governance, as well as board of directors’ cybersecurity expertise.
The rules were adopted to address the increasing prevalence of cyber incidents, as well as companies’ ever-rising reliance on information systems and the extensive, and potentially material, costs of both cyber protection and cyber incidents, which in term can impact stock prices and stockholder value.
A key implication of the Final Rules is that companies should have processes in place to not only manage the risk of cybersecurity events, but also to assess the materiality of such events in short order upon occurrence. Importantly, a materiality analysis should include both quantitative and qualitative assessments. Additionally, the Final Rules confirm that “most companies’ materiality analyses will include consideration of the financial impact of a cybersecurity incident.”
Compliance dates for the Final Rules begin in mid-December 2023. Cybersecurity executives at impacted companies should consider the following:
In March 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which requires owners and operators of critical infrastructure to report cyber incidents and ransom payments to the Cybersecurity and Infrastructure Security Agency (CISA). CIRCIA imposes a 72-hour deadline for covered cyber incidents and a 24-hour deadline for ransom payments.
CISA was tasked with developing regulations to fill in the gaps in the law, which it began with a request for information (RFI) published in the Federal Register in September 2022. The RFI highlighted several open implementation issues, including applicability, reporting timelines, harmonization with existing regulatory requirements, implications for third parties, and enforcement and liability questions. It is worth noting that CIRCIA grants CISA subpoena power and other enforcement tools.
Now that CISA has completed its “listening sessions” to solicit feedback from the public and other stakeholders, it will formalize its rulemaking. A formal Notice of Proposed Rulemaking (NPRM) is due by March 2024, but is reportedly ahead of schedule. The final rule must be issued within 18 months after publication of NPRM.
Entities in the energy industry are already subject to multiple overlapping cyber incident reporting requirements, leading to disparate requirements driven by different regulatory and policy objectives, including national security, public safety, consumer and shareholder protections, and market transparency. Reporting requirements are also imposed at every level of government—federal, state, and local—and include both mandatory and voluntary reporting.
To address this complex web of regulations, Congress, in CIRCIA, established a Cyber Incident Reporting Council (CIRC) to coordinate, deconflict, and harmonize federal incident reporting requirements. In its report, CIRC comprehensively assessed 52 in-effect or proposed federal cyber incident reporting requirements. It found that 45 requirements are currently in effect across 22 agencies.
Additionally, CIRC found significant duplication for certain entities, magnified by the application of cross-sector regulatory requirements and voluntary reporting. Further, divergent timelines and triggers for reporting cyber incidents present significant challenges. To streamline reporting, CIRC provided several recommendations, including the following:
Entities monitoring for cyberattacks often struggle to screen out the noise, including low-level attacks, “false positives,” and a simply overwhelming amount of data. This creates challenges for deriving meaningful and timely insights on potential cyber incidents. While there historically has been a reliance on human analysts and SOC coordination to initiate incident response activities, some artificial intelligence (AI) solutions are already leveraging monitoring and machine learning to streamline security operations. This increased integration of AI in triage and incident response activities should lead to greater efficiency and help with identifying abnormalities and automated responses.
On October 30, 2023, however, US President Joseph Biden issued a sweeping executive order requiring the National Institute of Standards and Technology (NIST) to develop AI standards to ensure systems are “safe, secure, and trustworthy.” While the final standards have yet to be determined, they likely will introduce caution on the use of AI in critical infrastructure, particularly in ways that could result in harm to that infrastructure due to misuse or unpredictability.
If you’re interested in Developments & Trends in Cybersecurity and Digital Transformation for the Energy Industry, as part of our Tech & Sourcing: An Industry-Focused Webinar Series, we invite you to subscribe to Morgan Lewis publications to receive updates on trends, legal developments, and other relevant areas.