Reporting requirements
Under CIRCIA, organizations are required to report cyber incidents to CISA that meet certain criteria and within a specified timeframe. While the proposed rules contain some reporting exceptions, the reporting criteria include incidents that:
- Result in unauthorized access to critical systems or data
- Cause significant disruption to critical infrastructure operations
- Involve ransomware or other malicious software targeting critical infrastructure
- Result in physical harm or loss of life
Reporting timelines
CIRCIA mandates reporting cyber incidents to CISA within 72 hours "after the covered entity reasonably believes the covered cyber incident has occurred" and ransomware payments within 24 hours of the payment being made, unless payment is accompanied by an incident, in which case the organization has 72 hours to report.*
Incident reporting format
CISA is expected to provide guidelines on the specific reporting format and information required. However, organizations should be prepared to provide details such as the nature of the incident, affected systems, potential impact and any mitigation measures taken.
Protection of sensitive information
CIRCIA emphasizes the protection of sensitive information shared during incident reporting. Organizations should ensure that appropriate safeguards are in place to protect any proprietary or confidential information shared with CISA.
Collaboration with CISA
CIRCIA encourages collaboration between organizations and CISA to facilitate incident response and information sharing. Organizations should establish communication channels and points of contact to facilitate effective collaboration with CISA during incident reporting and response efforts.
Penalties for non-compliance
Failure to comply with CIRCIA reporting requirements may result in penalties, including fines and potential legal consequences. It's essential to prioritize compliance with CIRCIA to avoid any adverse consequences.
CISA's proposed incident reporting mandates add another layer of complexity to already daunting regulatory landscape governing when companies are required to report cybersecurity incidents. We recommend that organizations review current incident response plans and procedures to ensure compliance with CIRCIA reporting requirements. It's also advisable to stay updated on any guidelines or additional information provided by CISA regarding incident reporting under CIRCIA.
Cyber insurance impacts
The Cyber insurance market remains laser focused on threats to critical infrastructure. Concerns continue to focus on the potential for an attack or a system outage on a critical infrastructure target. A significant cyber attack against one of these could lead to a dreaded systemic loss, having a cascading impact on multiple insureds around the globe.
As a result, the Cyber insurance marketplace has addressed these concerns by changing coverage, in some cases restricting or excluding it. When reviewing Cyber insurance and other policies that may provide a mechanism to transfer cyber risk for critical infrastructure and those that rely on them, insureds should be mindful of several potential coverage pitfalls, including but not limited to:
- Critical infrastructure exclusions that may eliminate coverage for all losses related to a specified critical infrastructure target
- Catastrophic or widespread loss sub-limits and exclusions that may limit or exclude coverage for cyber losses that impact a large number of organizations
- Contingent business interruption sub-limit or exclusionary language that may apply to organizations that were not direct targets, but suffer consequences of a critical infrastructure cyber attack
- Cyber war exclusionary language that's generally being broadened and may contain ambiguous or undefined terms
- Regulatory risks that may limit or exclude coverage for regulatory investigations, lawsuits, fines and settlements
Cyber insurance and other insurance policies may provide assistance to organizations that believe they may be impacted by losses related to these types of incidents, directly or indirectly either through vendor or supply chain relationships. Many stand-alone cyber policies provide access to crisis services, including breach coaches, IT forensics investigators and several other breach response experts. Those with Cyber insurance should be mindful of claim reporting obligations to Cyber insurance carriers, requirements to use insurance panel breach response vendors, evidence preservation and other issues that may affect attorney-client privilege.
If you have any questions or require further assistance in understanding and implementing CIRCIA reporting requirements, please contact us. We're here to support you in navigating these new obligations and strengthening your cybersecurity posture.
