Companies should take steps now to prepare for the new rules and expectations.

By Jennifer C. Archie, Tony Kim, Serrin Turner, Alexander L. Stout, Ryan J. Malo, and James A. Smith

The US government continues to expand regulatory requirements around notification and disclosure of major cyberattacks or incidents. New measures are arriving on the heels of high-profile ransomware attacks on US companies and critical infrastructure, such as the Colonial Pipeline hack that caused gas shortages in the eastern United States last summer.

Announced shared cybersecurity priorities across the Executive Branch include:

  • Cyber hygiene in the public and private sector, especially where critical infrastructure is involved
  • Operational collaboration between the public and private sector for tier one events
  • Disruption of the flow of cryptocurrency or other consideration to attackers
  • Fulsome, accurate, timely disclosure to investors and other stakeholders
  • Comprehensive reporting of incidents

These priorities have resulted in new laws, regulations, or expectations in the following areas:

  • On March 15, 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which requires critical infrastructure owners to notify the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) of cyberattacks that result in “unauthorized access or disruption of business or industrial operations.” Critically, the definition of “covered critical infrastructure” is sweeping, and many businesses that may not think of themselves as “infrastructure” will be covered. The new requirements do not require notification to affected parties, but rather are designed to give CISA visibility into ongoing cyberattacks.
  • On March 9, 2022, the Securities and Exchange Commission (SEC) issued proposed rules for cyberattack disclosures that would formalize the agency’s previous guidance to public companies on disclosures of cyber risks and attacks. The proposed rules would incorporate new timing requirements for the disclosure of a material cybersecurity incident that could drive the timeline for incident response.
  • On May 12, 2021, President Biden issued Executive Order 14208, which sets out new standards for government IT and communications contractors. The new standards broadly require government IT and communications contractors to report cyberattacks to CISA.

Below are more details about these developments.

Cyber Incident Reporting for Critical Infrastructure Act of 2022

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 expands on Executive Order 14208 by requiring all critical infrastructure owners and operators (regardless of whether they contract with the federal government) to submit reports of cybersecurity incidents and ransomware payments to CISA. The Act creates two new reporting obligations for owners and operators of critical infrastructure:

  • An obligation to report certain cyber incidents to CISA within 72 hours, and
  • An obligation to report ransomware payments within 24 hours.

Covered entities will be able to report incidents themselves or use third parties such as an incident response vendor, an Information Sharing and Analysis Organization (ISAO), or a law firm.

The definition of “critical infrastructure” for purposes of the statute — which is based on Presidential Policy Directive 21 — is sweeping. It encompasses, among other things, chemical manufacturing and distribution, communications and IT, energy, food production, healthcare, transportation, and water systems. All critical infrastructure owners will soon be covered by these new reporting requirements.

The applicable definition of covered cyber incidents is likewise broad. It includes, “at a minimum,” events involving loss of information system integrity, disruption of business operations against a network, or “unauthorized access or disruption of business or industrial operations due to loss of service facilitated through, or caused by, a compromise of a cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise.” The expansiveness of this definition suggests that even a minor cybersecurity incident could be considered reportable to CISA, but the implementing rules may ultimately set a lower threshold.

Significant protections have been built into the law to encourage compliance, with the Act requiring the prompt dismissal of any lawsuit brought based on the submission of a covered cyber incident report or report of a ransom payment to CISA. The new law will also incorporate data protection measures, with reports submitted to CISA to be considered the property of the covered entity (if so designated) and exempted from disclosure under the Freedom of Information Act. However, covered entities that fail to abide by these new requirements or fail to respond to a subpoena from CISA are subject to civil suits brought by the Attorney General. CISA may also provide information to the Attorney General or other appropriate federal agencies for use in regulatory enforcement actions or criminal prosecutions.

CISA — working with the Department of Justice and other agencies — must publish a notice of proposed rulemaking within two years, with a final rule to be in place within 18 months of the published proposal. So it will be some time before the import of the new statute fully takes shape and goes into effect. However, in granting CISA rulemaking authority, subpoena power, and leadership of a new ransomware task force, Congress is clearly intent on growing CISA’s role.

SEC Proposed Rules for Cyberattack Disclosures

The SEC has concluded that material cybersecurity incidents are underreported and that existing reporting is not timely. As such, the agency issued proposed rules to increase internal assessments and analysis around cybersecurity events and controls within public companies. Substantively, the proposed rules largely track prior SEC guidance that public companies must disclose material cyber incidents and risk management. In issuing the proposed rules, the SEC stated that “cybersecurity is among the most critical governance-related issues for investors.”

The proposed rules mandate, among other things:

  • Reporting for companies that experience material cybersecurity incidents,
  • Disclosure regarding risk management, strategy, and governance relating to cybersecurity risks, and
  • Disclosure concerning management and board of directors’ cybersecurity expertise.

The proposed rules build on informal guidance issued by the SEC in 2011 and 2018 concerning how disclosure requirements apply to cybersecurity incidents and risks. Public comments on the proposed rules are due on May 9, 2022.

The most recent SEC rulemaking proposal includes adding new Item 1.05 of Form 8-K to require reporting companies to disclose a material cybersecurity incident within four business days of determining that a material incident has occurred. The disclosures would need to include:

  • A description of the incident,
  • The timing of discovery,
  • Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose,
  • The effect of the incident on the company’s operations, and
  • The company’s remediation efforts.

Disclosures would be required based on the date the company determined that a cybersecurity incident was material, so long as that determination was made “as soon as reasonably practicable after discovery of the incident.” Disclosures would also be required if “a series of previously undisclosed individually immaterial cybersecurity incidents become material in the aggregate.” After disclosing a material incident, companies would be required to provide updates on either Form 10-Q or 10-K covering the period when the material change or update occurred.

Proposed Item 106(b) of Regulation S-K would require registrants to make detailed disclosures regarding their cybersecurity risk management systems and risk mitigation strategies. These disclosures would need to include, among other things, descriptions of the company’s cybersecurity risk assessment program; policies and procedures for identifying cyber risks; activities taken to prevent, detect, and minimize the effect of cybersecurity incidents; continuity and recovery plans; likely risks; and financial planning for future cyber incidents.

Finally, proposed Item 106(c) of Regulation S-K would require registrants to disclose information related to cybersecurity governance, including the board’s oversight of cybersecurity risks; an overview of management’s role in assessing and managing cybersecurity risks; management’s role in implementing the company’s cybersecurity policies, procedures, and risk mitigation strategies; and management’s overall experience. Registrants would also be required to disclose which management positions or committees are responsible for cyber risks, whether the company has a chief information security officer (or equivalent), and how frequently management reports to the board of directors on cybersecurity risks.

Executive Order 14208

Executive Order 14208 establishes new standards for incident response and secure software development, along with mandates that federal departments and agencies use two-factor authentication, encryption, and secure cloud services. The order outlines explicit notification and information-sharing requirements for information and communications technology (ICT) service providers, and requires that ICT providers serving federal departments and agencies “promptly” report both to their agency customer and CISA in the event of any “cyber incident” involving a software product or service provided to the government.

The order will be implemented through new contract language that has been developed by the Secretary of Homeland Security, in consultation with the Secretary of Defense, the Attorney General, and the Director of the Office of Management and Budget. The new contract language, now pending before the FAR Council (2021-017), addresses the nature of cyber incidents that require reporting, the types of information that must be included in the report, the time periods for reporting, and the types of contractors to be covered by the contract language.

What Companies Should Be Doing

Although the new laws, regulations, and expectations have yet to take effect, companies should take steps now to prepare.

  • First, as part of an overall assessment of cyber readiness, companies should understand whether any part of their business is considered critical infrastructure or provides services to the government, in which case the new rules may apply. If a business contains a critical infrastructure component, it will need to build the new CISA reporting requirements into its existing incident response plan.
  • Second, for government contractors and recipients of federal grants, new reporting obligations should be weighed in light of the Civil Cyber-Fraud Initiative at the Department of Justice, which may apply the False Claims Act to pursue investigations of companies that knowingly violate contractual obligations to monitor and report cybersecurity incidents and breaches.
  • Third, the new disclosure obligations will come with short clocks regarding prompt and fully reasoned materiality assessments, increased involvement of third-party forensic or threat intelligence experts to inform judgments, and board involvement in incident recovery and augmentation of security measures at a programmatic level.

Finally, companies should start prepping their public relations and investor relations teams — as well as their executives and boards — for the new obligations to come into effect, including by building decision-making around materiality or other key notification triggers into tabletop simulations or other incident response training exercises.