Standing Up the Strengthening American Cybersecurity Act of 2022

By: Lewis Brisbois' Data Privacy & Cybersecurity Team 

The U.S. Senate unanimously passed the Strengthening American Cybersecurity Act on March 1, 2022. If signed into law, it would create an affirmative obligation for critical infrastructure entities across 16 federally designated critical infrastructure sectors, including energy and financial services, to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA). The bill consists of three different regulations: (1) the Federal Information Security Modernization Act of 2022; (2) the Cyber Incident Reporting for Critical Infrastructure Act of 2022; and (3) the Federal Secure Cloud Improvement and Jobs Act of 2022.

Title II of the legislation obligates a critical infrastructure entity to notify CISA within 72 hours of determining or when they reasonably believe that a covered cyber incident has occurred. Unlike U.S. state data breach notification statutes, which define data breaches as unauthorized access or acquisition of personal information, the application of this legislation is independent of the contents of the data impacted. Under this legislation, a covered cyber incident is one that actually jeopardizes the integrity, confidentiality, or availability of information on an information system. This broad definition sweeps into its scope a variety of common cyber incidents such as ransomware, business email compromises, and other network intrusion events. The determination of whether a covered cyber incident has occurred depends not on the content of the impacted data, but rather on the incident’s effect on any data stored on an information system.

In addition to the requirement for critical infrastructure entities to notify CISA when a cyber incident occurs, Title II also creates a reporting requirement whenever a ransom is paid. Should an entity decide to pay a ransom, the entity must notify CISA within 24 hours of doing so. This reporting requirement is independent of reporting to CISA when a cyber incident occurs. In a case where the incident does not rise to a covered cyber incident, a critical infrastructure entity would still be obligated to report to CISA that a ransom was paid. Interestingly, the legislation also creates a duty to inform for any third-party who would be eligible to file the report to CISA on behalf of an entity. This duty to inform requires lawyers, incident response firms, payment facilitators, and other third parties to tell the affected entity that it must report the payment of the ransom to CISA.

The 24- and 72-hour windows by which entities must report ransom payments and cyber incidents can limit the amount of information available to share with CISA. To address this, Title II creates an ongoing duty to report to CISA following an initial report. Whenever new or substantive information becomes available, entities must continue to file updated reports to CISA. This obligation to provide updates is satisfied only when an entity files to notify CISA that the incident has concluded and is fully mitigated and resolved.

Navigating the landscape of cyber events against critical infrastructure is becoming increasingly significant on a national and international level given these times of political unrest. Lewis Brisbois’ Data Privacy & Cybersecurity Team has extensive experienced counseling critical infrastructure entities through cyber incidents and can help your organization evaluate voluntary reporting to CISA and other regulators before, during, and after a cyber incident occurs.

For more information on the Strengthening American Cybersecurity Act, contact the authors of this post. You can also subscribe to this blog to receive email alerts when new posts go up.