Shortly after the SEC announced its cyber security disclosure proposal (see SEC Proposes Cyber Attack Disclosure Requirements, in this Update), another cybersecurity reporting development occurred. Among other things, the Consolidated Appropriations Act, 2022, signed by President Biden on March 15, requires “critical infrastructure entities” to report cyber incidents to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours after the entity reasonably believes that it has been subject to a cyber incident. Critical infrastructure entities must also report payments in response to ransomware attacks to CISA within 24 hours. Reports to CISA, unlike those proposed by the SEC, will be non-public.
The reporting obligations in this legislation will not become effective until CISA promulgates rules defining the terms “critical infrastructure entity” and “cyber incident.” In defining the entities covered by the reporting requirement, CISA is likely to look to an existing presidential directive which identifies sixteen critical sectors, including chemicals; communications; defense; emergency services; energy; financial services; food and agriculture; healthcare and public health; information technology; transportation; and water and wastewater systems.