CISA Proposes New Rule to Require Reporting of Cyberattacks & Ransomware Payments

The Cybersecurity and Infrastructure Security Agency (CISA) has reached a new milestone in enhancing America’s cybersecurity posture through the release of the Notice of Proposed Rulemaking (NPRM) required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This NPRM marks a pivotal step in fortifying the nation’s cyber defenses and can help bring more clarity and actionable intelligence to financial institutions.

Under the proposal, regulated financial institutions and other critical infrastructure sectors would be mandated to report significant cyber incidents to the Department of Homeland Security (DHS) or the Cybersecurity and Infrastructure Security Agency (CISA) within strict periods. They must report cyber incidents within 72 hours and any ransomware payments within 24 hours. Additionally, they must promptly provide supplemental reports if substantial information about the incident emerges.

These reporting requirements complement existing obligations. This includes notifying financial regulators of computer security incidents within 36 hours and complying with a new Securities and Exchange Commission (SEC) mandate for publicly traded companies to disclose significant cyber incidents within four business days. However, the NPRM does not replace standards already in place through the Gramm–Leach–Bliley Act (GLBA), SEC, New York State Department of Financial Services (NYSDFS), etc. This rule will only add to existing rules to ensure financial institutions can better understand potential threats.

The cyber incidents subject to reporting include:

• Denial-of-service attacks causing prolonged unavailability of services to customers.
• Cyberattacks encrypting core business or information systems.
• Unauthorized access to business systems due to compromised software or credentials.
• Ransomware attacks locking entities out of industrial control systems.

Reports must include entity contact information, details of affected systems, operational impacts, and more. Additionally, reports on ransomware payments must disclose payment data and amounts, among other specifics.

What CISA’s Proposed Rule Means Moving Forward

1. CIRCIA Mandate Fulfillment: CISA’s release of the NPRM aligns with the mandate set forth by the CIRCIA, demonstrating progress in fulfilling legislative requirements to bolster cybersecurity measures. Stakeholder input has been crucial in shaping the NPRM, emphasizing the inclusive approach adopted by CISA in developing regulatory frameworks. The NPRM will soon be published in the Federal Register, initiating a 60-day public comment period. Stakeholders, including the critical infrastructure community, are encouraged to provide written feedback to express any concerns.
2. Real-Time Incident Response: Implementation of CIRCIA will empower CISA to utilize reported cybersecurity incident data to identify patterns in real-time, fill critical information gaps, and deploy resources swiftly to aid entities affected by cyberattacks. This capability enhances CISA’s ability to respond effectively to cyber incidents and prevent further victimization.
3. Cyber Risk Reduction: CIRCIA implementation enables CISA to gain insight into the cyber threat landscape, driving national cyber risk reduction efforts. By providing early warnings to entities at risk and facilitating coordinated responses with public and private sector partners, CISA aims to enhance cybersecurity resilience across critical infrastructure sectors.
4. Future Implications: The development and implementation of CIRCIA have broader implications for the cybersecurity community, promising improved threat awareness, earlier detection of adversary campaigns, and more coordinated responses to cyber threats. CISA remains committed to driving national cyber risk reduction efforts and fostering collaboration across sectors.

CISA’s release of the NPRM signifies a critical milestone in advancing cybersecurity efforts and exhibits the agency’s proactive approach to addressing cyber threats. Through collaboration, transparency, and stakeholder engagement, CISA aims to enhance the resilience of America’s critical infrastructure and mitigate cyber risks effectively. It is important to watch CISA announcements closely to ensure your organization is receiving any alerts related to the new rule. Given the impact this rule could have, it is crucial to consider how this will affect your reporting requirements and currently documented policies and procedures.

If you have any questions regarding CISA’s proposed rule or seeking assistance in this area, please reach out to a member of our team!