Editor's note: The IAPP is policy neutral. We publish contributed opinion pieces to enable our members to hear a broad spectrum of views in our domains.

If organizations have not already begun preparing for the new reporting requirements for covered entities outlined by the Cyber Incident Reporting for Critical Infrastructure Act of 2022, they should start now. While the regulations required under CIRCIA are currently undergoing the rulemaking process, the reporting requirements are set to become effective in 2026. The proposed rule, developed by the Cybersecurity and Infrastructure Security Agency, requires covered entities to report substantial cyber incidents within 72 hours and ransomware payments within 24 hours. The more that is done to prepare now, the easier reporting within such expedited timelines will be for an organization.

What entities are covered?

CISA estimates more than 300,000 entities will be covered by CIRCIA. The act and proposed rule cover any entities larger than a small business, which is generally defined as having fewer than 500 employees or annual receipts less than USD7.5 million, as well as any business large or small that offers services in 16 specific sectors. These sectors were chosen for the impact those entities would have, if attacked, on the U.S. and trade.

Those sectors, established by Presidential Policy Directive 21 and reiterated in the National Security Memorandum on Critical Infrastructure Security and Resilience, are wide-ranging and include health care, information technology, communications, energy, financial services, and transportation. Entities ranging from hospitals to IT companies that have not traditionally considered themselves critical infrastructure should consider whether their sectors have been named critical by CISA by looking through the sector-specific plans, as outlined by PPD-21.

ADVERTISEMENT

Syrenis: The ROI of consent management

Even if their organization is not a covered entity, teams might consider learning more about CIRCIA's various provisions and requirements. For example, entities like law firms, privacy and security consultants, or vendors may report on behalf of their covered entity clients, and understanding how CIRCIA impacts clients could be critical.

What are the impacts of the reporting requirements?

Per the proposed rule, after CIRCIA's reporting requirements become effective, covered entities will be required to report substantial cyber incidents within 72 hours of a reasonable belief that such an incident has occurred. A "substantial cyber incident" is defined in the proposed rule as causing any of the following:

  • Substantial loss of confidentiality, integrity or availability.
  • Serious impact on safety and resiliency of operational systems and processes.
  • Disruption of ability to engage in business or industrial operations or deliver goods or services.
  • Unauthorized access facilitated through or caused by a compromise of a provider or third party or a supply chain compromise.

In addition, a covered entity is required to report ransom payments in response to ransomware attacks to CISA within 24 hours, subject to certain exemptions.

The specific information subject to these reporting requirements may change depending on the rulemaking process, but in the 2024 Notice of Proposed Rulemaking on CIRCIA, CISA outlined a host of information that entities should prepare to disclose and retain, from a timeline of the incident to any information they can provide that may lead to the identity of the attacker. These classes of information may change, but entities should see the NPRM as a roadmap toward CISA's expectations of CIRCIA reports.

What protections or penalties does the proposed CIRCIA rule offer?

The proposed CIRCIA regulation notes information submitted to CISA will be protected against onward disclosure and entities maintain legal privileges and protections. That said, those protections are extended to those individuals and entities operating in compliance with the regulation's framework. Conversely, failure to comply by not submitting timely and fulsome CIRCIA reports or supplemental reports or responding to requests for information could result in penalties. Knowingly and willfully making false or fraudulent statements or representations could be met with fines, imprisonment of up to five years or imprisonment up to eight years if the offense involves international or domestic terrorism.

In short, the proposed rule encourages timely and accurate reporting of cyber incidents and ransom payments by affording protections for covered entities and individuals who cooperate with CISA and penalizing those not operating in compliance with the proposed regulation.

How to prepare for compliance with CIRCIA?

Once an organization's type of entity, and whether it is covered by the CIRCIA final rule, has been determined, there are a few steps to take when or if there is a substantial cyber incident.

  • Ensure the entity understands that covered entities and individual employees face significant risks for noncompliance.
  • Begin creating specific and actionable plans to ensure compliance with reporting requirements.
  • Start coordinating plans to comply with reporting requirements and align information reported pursuant to CIRCIA with information reported elsewhere, for example in U.S. Securities and Exchange Commission filings and other public disclosures.
  • Begin outlining which data and records should be retained and engage in data mapping now to ensure retention.
  • Kick off the collaboration with third parties to determine whether they will have the authority to submit reports on the entity's behalf.

What's next for CIRCIA?

Now that the public comment period for the NPRM has closed, CISA's next step is to respond to the comments and prepare to publish the final rule. The agency plans to publish the final rule governing reporting requirements in late 2025, with the rule taking effect in 2026. In the meantime, keep an eye out for more information from CISA and greater details about how specific entities and individuals should prepare to comply with the final rule. It's important for covered entities to kick off this compliance journey now so they are prepared to investigate, respond and report as soon as possible if they do experience a substantial cyber incident.

Don't wait for the clock to start; act now.

Katelyn Ringrose, CIPP/E, CIPP/US, CIPM, FIP, is a privacy and cybersecurity senior associate, Stephen Reynolds, CIPP/US, is a data security and privacy partner, and Sagar Ravi is a white-collar crime and cybercrime partner at McDermott Will & Emery.