On November 15, 2021, President Biden signed the Infrastructure Investment and Jobs Act into law, authorizing $1.2 trillion for infrastructure spending, including approximately $2 billion for various federal cybersecurity projects. This adds to a large number of cybersecurity bills that are currently pending before Congress. In this Debevoise Data Blog post, we outline the key themes and takeaways of these pending bills, and what companies can expect in terms of new cybersecurity obligations in 2022.
The bills, which largely focus on critical infrastructure, appear to be coalescing around three key concepts:
- Expanding the Role of the Cybersecurity and Infrastructure Security Agency (“CISA”). At least five of the proposed bills would grant CISA rulemaking authority, with direction to define who must report cybersecurity incidents to CISA, when, and the content and logistics of reporting. Under certain bills, CISA would also have authority to promulgate cybersecurity standards and conduct examinations. This authority would allow CISA to formalize the preliminary cybersecurity performance goals for critical infrastructure it issued in September 2021, which we analyzed last month, as well as forthcoming sector-specific performance goals.
- Clarifying Who Falls Under the Definition of “Critical Infrastructure”. The Department of Homeland Security defines critical infrastructure as those “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination” thereof. A common theme among the proposed bills is to mandate certain categories of entities for inclusion, including cloud service providers, managed service providers, and incident response service providers, yet also retain a broader critical infrastructure catchall. Under a number of proposals, CISA is directed to define the types of “covered entities” that will have reporting or other regulatory requirements, suggesting that while the general definition of critical infrastructure will remain very broad, clarity on which companies are subject to CISA’s reporting obligations and exam authority is forthcoming.
- Establishing a Mandatory Breach Reporting Requirement. At least seven of the pending bills would establish a mandatory breach reporting requirement for, at a minimum, a set of critical infrastructure entities, cloud service providers, managed service providers, and federal contractors. All of the proposed bills either mandate or encourage CISA to set a rapid notification period of 24 to 72 hours.
Despite increasing agreement on these points, open questions remain on a number of important items. As the various bills are debated and refined, we expect to see further guidance on the following items:
- The Scope of a Reportable Cyber Incident May Be Broad. Under each of the proposals for mandatory incident reporting, CISA is directed to define what constitutes a qualifying cyber incident. The bills are largely split over whether this obligation is limited to ransomware events, or would apply to a broader range of cybersecurity or resiliency incidents as defined by CISA. One proposal includes limiting language that the cyber incident be “substantial” as a result of “a substantial loss of” or “serious impact on” the “confidentiality, integrity, or availability of information system[s] or network[s],” or an operational disruption. Another lacks many of those qualifiers. A third bill specifies that the reportable incident will include “potential cybersecurity intrusion[s]” that would expand reporting to unconfirmed incidents.
- Increased Scrutiny on Ransom Payments. While Congress continues to mull the possibility of banning the payment of ransom demands altogether, its recent legislative proposals include clear deterrence mechanisms. Each of 2875, S. 2943, H.R. 5501, S. 2926, and S. 2666 have mandatory 24-48 hour ransom payment reporting requirements (that in one case applies only to critical infrastructure entities, and in the other cases applies to all entities engaging in interstate commerce or that receive federal funds), with a range of confidential and public information sharing and reporting provisions. Under other bills, CISA could propose similar reporting requirements during rulemaking.
- There is Not Yet Consensus About CISA’s Enforcement Authority. The proposed bills take different approaches in defining CISA’s ability to enforce either a breach reporting requirement or substantive cybersecurity standards, ranging from authorizing CISA to issue fines to enforce reporting violations, to granting CISA the power to issue subpoenas and bring civil actions for noncompliance, to only permitting referrals to other agencies for review and prosecution. CISA Director Jen Easterly has urged that legislation permit CISA to impose fines for reporting failures, and believes that subpoenas are “not an agile enough mechanism” to encourage a sufficient level of information sharing.
- Lack of Clarity on the Use of Reported Data. The proposed reporting bills also vary in how the information provided by reporting entities will be used and shared, and its level of confidential treatment. What specific information will be required in reports from entities to CISA is left to rulemaking. The bills do indicate, however, that CISA needs to issue quarterly public reports using aggregated data and findings, data sharing reports among sector-specific agencies, and potentially classified reports to select Congressional committees.
- CISA’s Regulatory Regime Aims to Avoid Conflict with Other Regulators. For many critical infrastructure entities, especially those in the energy and financial services sectors, regulations and standards from CISA would be layered on top of preexisting requirements from other sector- or jurisdiction-specific regulators, creating the risk of conflicting obligations. Some of the proposed bills acknowledge this issue and contain provisions directing CISA to coordinate with sector risk management and other regulatory agencies to “harmonize” its regulatory regime to “avoid conflicting, duplicative, or burdensome requirements.”
While it is unclear whether and when any of these bills will be passed, at least some may end up incorporated into the final version of the 2022 National Defense Authorization Act. If passed, bills with reporting requirements provide for an initial period of time for rulemaking and the creation of a reporting system before going into effect. Nevertheless, these bills make clear that federal cybersecurity regulation containing an incident reporting requirement and potentially providing for additional cybersecurity standards and exams, is in the cards for critical infrastructure entities. With this in mind, companies should begin to consider the following:
- Reporting and Communications Strategy Should Account for Reporting Timeline. For entities that are not already subject to a narrow mandatory reporting window, such as those of Regulation SCI, NYDFS Part 500, GDPR, or Security Directive 1, designation as a CISA covered entity for incident or ransom payment reporting warrants preparing for accelerated communication timelines in the event of an incident. An obligation to notify CISA within 24-72 hours of a cybersecurity incident may necessitate notifications to other regulators earlier than previously required. Companies should assess what impact a prompt notification to CISA might have on its broader identification, escalation, reporting and communication plans.
- Assess Your Security Posture Against CISA Preliminary Goals. Given that a number of proposed bills would grant CISA the authority to promulgate cybersecurity program standards and conduct examinations of covered entities, critical infrastructure entities should consider assessing how existing cybersecurity programs match up against CISA’s presently voluntary cybersecurity performance goals for critical infrastructure, which we can expect to see incorporated into proposed rulemaking. As we recommended last month, critical infrastructure organizations should identify any differences and consider improvements to narrow those gaps.
- Prepare for Scrutiny in the Event the Company Pays a Ransom. The intense government focus on ransomware and the potential payment of a ransom is unlikely to subside anytime soon. It appears very likely that mandatory reporting by critical infrastructure entities of any ransom payment is coming, but it remains to be seen what new level of scrutiny companies will face when they do report a payment, even where there is no apparent sanctions concern. Aligning with CISA’s recommendations in its Ransomware Guide from September 2020 may prove helpful to companies looking to bolster both cybersecurity defenses, set stakeholder expectations, and mitigate regulatory scrutiny.
This post comes to us from Debevoise & Plimpton LLP. It is based on the firm’s memorandum, “An Overview of Proposed Cybersecurity Legislation: Which Incidents Are Covered, Who Counts as Critical Infrastructure, and What New Obligations Are Created?” dated November 22, 2021, and available here.