Search
By Alma Angotti
Cyberattacks and data breaches have increased in frequency and sophistication over the past few years, and will continue to occur due to geopolitical tensions, the continued evolution of and expanded use of new technologies, increasingly complex business ecosystems, and other factors. Attacks and breaches are impacting every industry, especially the Critical Infrastructure Segment. Law firms representing Critical Infrastructure clients may have new cyber incident reporting obligations, based on the Cyber Incident Reporting for Critical Infrastructure Act.1
On March 15, 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the Act), creating new requirements for organizations operating in critical infrastructure sectors to report to the federal government certain cyber incidents and related ransom payments.
The Act requires organizations operating in critical infrastructure sectors to report "substantial" cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours after the entity reasonably believes the incident occurred; provide reports to CISA of substantial new or different information that becomes available until the incident has concluded and been fully mitigated and resolved; report ransom payments to CISA2 within 24 hours after making the ransom payment; and preserve data related to cyber incidents or ransom payments in accordance with procedures to be established by CISA. The new reporting obligations will not take effect until the director of CISA promulgates implementing regulations, including “clear description[s] of the types of entities that constitute covered entities.” Covered entities could include law firms representing critical infrastructure clients.
Companies supporting, or operating as part of, the critical infrastructure sector should consider taking steps to review their response plans to ensure that legal and compliance professionals are brought in early, particularly since events that do not implicate personal information may now require regulatory notifications. The Act requires affected organizations to report incidents as they are unfolding, as well as issue follow-up reports, so businesses should consider integrating legal and compliance reviews and actions into their cybersecurity preparations and functions. The Act, as well as other recent federal government measures, will necessitate critical infrastructure organizations’ legal counsel and information security personnel to work more closely together to defend the nation’s infrastructure.
The common characteristics of critical infrastructure organizations that are victims of a data breach include:
Lack of an organizational cybersecurity strategy — An organizational cybersecurity strategy articulates how an organization intends to use its resources, personnel, and tools to improve its cybersecurity posture. A strategy also addresses what organizations will do and not do and serves to align cybersecurity projects to the business mission, and provides the foundation for detailed, tactical policies and procedures.
Lack of basic cyber hygiene practices — Organizations should have an ongoing security awareness and training program in concert with the organizational cybersecurity strategy focused on creating a cyber-conscious culture to protect against phishing and ransomware attacks; as well as implementing vulnerability management, patch management, identity and access management, least privilege, configuration management, data encryption, email filtering, and third-party/supply chain risk management.
Insufficient governance — Tactical system cyber risks are tracked by the IT department, and senior leadership frequently lacks adequate visibility and context to manage the impact of cyber-risks to the overall business mission.
Regulatory compliance is not adequate — Many organizations meet compliance obligations and are still victims of data breaches. Compliance cannot be confused with zero, or even low operational risk.
Develop a cybersecurity strategy
Adopt and implement written cybersecurity policies and procedures that are reasonably designed to address the cybersecurity risks relevant to your specific businesses, which could impact your clients and investors. Review them on an annual basis.
Report
Develop an incident response plan that clearly defines roles and responsibilities of key stakeholders, including incident-reporting obligations. Messaging guidance and even templates for external communications should be developed prior to an event, and approved by executive leadership.
Proven Approach
Technology Agnostic
Highly Expert Teams
Guidehouse is a global consultancy providing advisory, digital, and managed services to the commercial and public sectors. Purpose-built to serve the national security, financial services, healthcare, energy, and infrastructure industries, the firm collaborates with leaders to outwit complexity and achieve transformational changes that meaningfully shape the future.