New Cyber Incident Reporting Requirements for Critical Infrastructure Act and Impacts on Law Firms

Cyberattacks and data breaches have increased in frequency and sophistication over the past few years, and will continue to occur due to geopolitical tensions, the continued evolution of and expanded use of new technologies, increasingly complex business ecosystems, and other factors. Attacks and breaches are impacting every industry, especially the Critical Infrastructure Segment. Law firms representing Critical Infrastructure clients may have new cyber incident reporting obligations, based on the Cyber Incident Reporting for Critical Infrastructure Act.¹

On March 15, 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the Act), creating new requirements for organizations operating in critical infrastructure sectors to report to the federal government certain cyber incidents and related ransom payments.

The Act requires organizations operating in critical infrastructure sectors to report "substantial" cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours after the entity reasonably believes the incident occurred; provide reports to CISA of substantial new or different information that becomes available until the incident has concluded and been fully mitigated and resolved; report ransom payments to CISA² within 24 hours after making the ransom payment; and preserve data related to cyber incidents or ransom payments in accordance with procedures to be established by CISA. The new reporting obligations will not take effect until the director of CISA promulgates implementing regulations, including “clear description[s] of the types of entities that constitute covered entities.” Covered entities could include law firms representing critical infrastructure clients.

Companies supporting, or operating as part of, the critical infrastructure sector should consider taking steps to review their response plans to ensure that legal and compliance professionals are brought in early, particularly since events that do not implicate personal information may now require regulatory notifications. The Act requires affected organizations to report incidents as they are unfolding, as well as issue follow-up reports, so businesses should consider integrating legal and compliance reviews and actions into their cybersecurity preparations and functions. The Act, as well as other recent federal government measures, will necessitate critical infrastructure organizations’ legal counsel and information security personnel to work more closely together to defend the nation’s infrastructure.

Challenges/Pitfalls

The common characteristics of critical infrastructure organizations that are victims of a data breach include:

Lack of an organizational cybersecurity strategy — An organizational cybersecurity strategy articulates how an organization intends to use its resources, personnel, and tools to improve its cybersecurity posture. A strategy also addresses what organizations will do and not do and serves to align cybersecurity projects to the business mission, and provides the foundation for detailed, tactical policies and procedures.

Lack of basic cyber hygiene practices — Organizations should have an ongoing security awareness and training program in concert with the organizational cybersecurity strategy focused on creating a cyber-conscious culture to protect against phishing and ransomware attacks; as well as implementing vulnerability management, patch management, identity and access management, least privilege, configuration management, data encryption, email filtering, and third-party/supply chain risk management.

Insufficient governance — Tactical system cyber risks are tracked by the IT department, and senior leadership frequently lacks adequate visibility and context to manage the impact of cyber-risks to the overall business mission.

Regulatory compliance is not adequate — Many organizations meet compliance obligations and are still victims of data breaches. Compliance cannot be confused with zero, or even low operational risk.

Actions You Should Take

Develop a cybersecurity strategy

• Conduct a security risk assessment
• Set your security goals
• Evaluate your organization’s IT
• Select a security framework (ISO 27001 is a worldwide tailorable standard). Note: Defense Industrial Base organizations should follow Cybersecurity Maturity Model Certification guidance
• Review organization’s security policies
• Create a risk management plan
• Implement your security strategy
• Evaluate your security strategy at least annually or when there are changes to your IT environment, changes to your business mission and objectives, and/or changes in local and global cyberthreats

Adopt and implement written cybersecurity policies and procedures that are reasonably designed to address the cybersecurity risks relevant to your specific businesses, which could impact your clients and investors. Review them on an annual basis.

Report
Develop an incident response plan that clearly defines roles and responsibilities of key stakeholders, including incident-reporting obligations. Messaging guidance and even templates for external communications should be developed prior to an event, and approved by executive leadership.

Reasons Why Customers Choose Guidehouse

Proven Approach

• Leading some of our nation’s largest cyber programs
• Successfully helped secure numerous commercial and public sector client environments
• Leverage our highly technical expertise
• Deliver scalable and sustainable independent consulting without the veneer of vendor bias.

Technology Agnostic

• Long-standing, deep technical experience
• No corporate alliances or reliance on vendor solutions
• Maintain independence and avoid technical bias
• Perfects our ability to provide objective, comprehensive consulting

Highly Expert Teams

• Led by former Senior NSA Cyber Leaders, CISOs, and DPOs
• More than four decades successfully providing strategic guidance in the design and operation of cybersecurity programs
• Highly experienced cyber team with exceptional cross-industry and operations diversity
• Hands-on expertise to help secure your organization’s data and systems