March 22, 2022
On March 15, 2022, President Joe Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act, which was included in an omnibus appropriations bill. Against the backdrop of high-profile cyberattacks on critical infrastructure providers and growing concerns of retaliatory cyberattacks relating to Russia’s invasion of Ukraine, the House approved the bipartisan legislation on March 9 and the Senate unanimously approved the legislation on March 11 after failing to pass similar legislation in recent years.
The Act creates two new reporting obligations on owners and operators of critical infrastructure:
The new reporting obligations will not take effect until the Director of CISA promulgates implementing regulations, including “clear description[s] of the types of entities that constitute covered entities.” The Act does provide guideposts for which entities may be covered and refers to the Presidential Policy Directive 21 from 2013, which deems the following sectors as critical infrastructure: chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services, energy; financial services; food and agriculture; government facilities; healthcare and public health; information technology; nuclear reactors, materials, and waste; transportation systems; and water and wastewater systems.
The Act considerably expands the reporting obligations of covered entities and CISA’s role with respect to cyber reporting initiatives, the rulemaking process, and information sharing among federal agencies. Below is a summary of the legislation, as well as key takeaways.
I. The Act’s Impact on Covered Entities
A. Reporting Obligations
Under the Act, covered entities that experience a “covered cyber incident” are required to report the incident to CISA no later than 72 hours after the entity “reasonably believes” that such an incident has occurred. The Act defines a “covered cyber incident” as one that is “substantial” and meets the “definition and criteria” to be set by the CISA Director in the forthcoming rulemaking process. In addition, covered entities are also required to report any ransom payments made as a result of a ransomware attack to CISA no later than 24 hours after making the payment. Entities are required to report ransom payments even if the underlying ransomware attack is not a covered cyber incident.” If a covered entity experiences a covered incident and remits a ransom before the 72-hour deadline, it may submit a single report to satisfy both reporting requirements. Covered entities that are required to report cyber incidents or ransom payments also will be required to preserve relevant data. Although the Act specifies some of the content that reports should contain, the CISA Director will further prescribe report contents through the rulemaking process.
After reporting a covered incident, covered entities will be required to submit updates as “substantial new or different information becomes available” until the covered entity notifies CISA that the incident has been fully mitigated and resolved. Such supplemental reports will need to address whether a covered entity made a ransom payment after submitting the initial report.
To “enhance the situational awareness of cyber threats,” the legislation provides for voluntary reporting of incidents and ransom payments by non-covered entities, as well as the voluntary provision of additional information beyond what is mandatory by covered entities. Required and voluntary reporting will receive the same protections, further described below.
Notably, the Act creates an exception whereby its reporting requirements will not apply to covered entities that, “by law, regulation, or contract,” are already required to report “substantially similar information to another Federal agency within a substantially similar timeframe.” However, this exception will be available only if the relevant federal agency has an “agency agreement and sharing mechanism” in place with CISA.
B. Protections for Reporting Entities
Recognizing some of the concerns relating to reporting, the Act protects reporting entities from certain liability associated with the submission of required or voluntary reports. Under the Act, submitted cyber incident and ransom payment reports cannot be used by CISA, other federal agencies, or any state or local government to regulate, including through enforcement action, the activities of the covered entity that submitted the report.
In addition, submitted reports must:
Certain additional protections further encourage compliance and recognize the concerns that victim companies may face in providing notifications. Notably, the required reports, and material used to prepare the reports, cannot be received as evidence, subject to discovery, or used in any proceeding in federal or state court or before a regulatory body. Also, no cause of action can be maintained based on the submission of a report unless it is an action taken by the federal government to enforce a subpoena against a covered entity. These liability protections only apply to litigation based on the submission of a cyber incident or ransom payment report to CISA, not the underlying cyber incident or ransom payment.
II. CISA’s Oversight and Responsibilities under the Act
By considerably expanding CISA’s role, the Act essentially establishes CISA as the central federal agency responsible for cyber reporting for companies operating within a critical infrastructure sector, advancing the forthcoming rulemaking process, and coordinating with other agencies with respect to information sharing and new initiatives.
A. Forthcoming Rulemaking
The Act provides some parameters for key definitions and processes, but ultimately requires CISA to spell out various requirements via rulemaking. The legislation requires the CISA Director—in consultation with Sector Risk Management Agencies, the Department of Justice, and other federal agencies—to issue a notice of proposed rulemaking within 24 months. The Director must issue a final rule within 18 months of issuing the proposed rule. Among other items, the Director will need to issue regulations concerning which entities are covered by the requirements, the types of substantial cyber incidents that the Act covers, data preservation, and the manner, timing, and form of reports.
Once the final rule is issued, CISA will conduct an outreach and education campaign to inform likely covered entities and supporting cybersecurity providers of the Act’s requirements.
B. Information Assessment and Sharing
The Act requires CISA to aggregate, analyze, and share information learned from submitted reports to provide government agencies, Congress, companies, and the public with an assessment of the constantly evolving cyber threat landscape. (When sharing information with non-federal entities and the public, CISA is required to anonymize the victim entities that filed report(s).)
Some of the responsibilities of CISA’s National Cybersecurity and Communications Integration Center (“the Center”) include immediately reviewing submitted reports to determine whether the incident relates to an ongoing cyber threat or security vulnerability. Moreover, the legislation enhances federal cyber incident sharing. The Center is required to make reports available to relevant Sector Risk Management Agencies and appropriate federal agencies within 24 hours of receipt. Similarly, federal agencies that receive incident reports (including from non-covered entities) must submit them to CISA no later than 24 hours following receipt.
The Act sets forth authorized uses and sharing of submitted reports. Information may be disclosed to, retained by, and used by federal agencies solely for: a cybersecurity purpose; to identify a cyber threat or security vulnerability; to respond to, prevent or mitigate specific threats of death, serious bodily harm, or serious economic harm; to respond to or prevent a serious threat to a minor; or to respond to an offense arising out of a reported incident.
Among other items, the Center is tasked with establishing mechanisms to receive feedback from stakeholders, facilitating timely information sharing with critical infrastructure companies, and publishing quarterly unclassified reports on cyber incident trends and recommendations. The Act also imposes on CISA several congressional reporting requirements, including briefings to describe stakeholder engagement with rulemaking and enforcement mechanism effectiveness.
The Act provides several enforcement mechanisms. If a covered entity fails to submit a required report, the CISA Director may obtain information about the cyber incident or ransom payment by directly engaging with the covered entity “to gather information sufficient to determine whether a covered cyber incident or ransom payment has occurred.” If the covered entity does not respond to the initial information request within 72 hours, the CISA Director may issue a subpoena. Failure to comply with the subpoena – or information furnished in response to a subpoena – may result in the referral of the matter to the Department of Justice for enforcement.
Additionally, the Act denies covered entities some of the protections detailed above if they do not comply with its reporting requirements.
Under the Act, the CISA Director must provide an annual report to Congress that conveys anonymized information about the number of initial requests for information, issued subpoenas, and referred enforcement matters. This report will be published on CISA’s website.
D. Forthcoming Initiatives
Finally, the Act sets forth several initiatives to enhance cybersecurity coordination efforts:
Once in effect, the Act will considerably expand reporting considerations for some entities. Accordingly, companies should consider the following next steps:
 See Cyber Incident Reporting for Critical Infrastructure Act of 2022, H.R. 2471, 116th Cong. (2022).
 H.R. 2471 § 2242(c)(1). This provision provides that when promulging the final rule to define “covered entities,” the CISA Director must consider the national security, economic security, and public health and safety consequences of a potential cyberattack on the entity, the likelihood that such an entity could be targeted, and the extent to which a cyberattack will enable disruption of the reliable operation of critical infrastructure.
 H.R. 2471 § 2240(5). See also White House, Office of the Press Secretary, Presidential Policy Directive — Critical Infrastructure Security and Resilience, Feb. 12, 2013, available at https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil; CISA, Critical Infrastructure Sectors, available at https://www.cisa.gov/critical-infrastructure-sectors.
 H.R. 2471 § 2242(a)(1)(A).
 Id. at § 2240(4). The legislation does not define “substantial.”
 H.R. 2471 § 2242(a)(2)(A).
 H.R. 2471 § 2242(a)(2)(B).
 H.R. 2471 § 2242(a)(5)(A).
 At a minimum, covered incident reports must convey certain information about the incident, including:
 H.R. 2471 § 2245(a)(5)(A).
 H.R. 2471 § 2245(a)(2)(A).
 H.R. 2471 §§ 107; 2244(g).
 See Exec. Order No. 14,028, 86 Fed. Reg. 26,633 (May 12, 2021).
 See Press Release, Dep’t of Homeland Security, DHS Announces New Cybersecurity Requirements for Critical Pipeline Owners and Operators (May 27, 2021), https://www.dhs.gov/news/2021/05/27/dhs-announces-new-cybersecurity-requirements-critical-pipeline-owners-and-operators.
 See Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Exchange Act Release, No. 34-94382 (Mar. 9, 2022), available at https://www.sec.gov/rules/proposed/2022/33-11038.pdf; see also Gibson Dunn’s client alert on the SEC’s proposed rule, available at https://www.gibsondunn.com/sec-proposes-rules-on-cybersecurity-disclosure/.
 See Press Release, U.S. Dep’t of Justice, Deputy Attorney General Lisa O. Monaco Announces New Civil Cyber-Fraud Initiative (Oct. 6, 2021), https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative.
This alert was prepared by Ashlie Beringer, Alexander H. Southwell, Ryan T. Bergsieker, and Snezhana Stadnik Tapia.
Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any member of the firm’s Privacy, Cybersecurity and Data Innovation practice group:
Alexander H. Southwell – Co-Chair, PCDI Practice, New York (+1 212-351-3981, firstname.lastname@example.org)
S. Ashlie Beringer – Co-Chair, PCDI Practice, Palo Alto (+1 650-849-5327, email@example.com)
Debra Wong Yang – Los Angeles (+1 213-229-7472, firstname.lastname@example.org)
Matthew Benjamin – New York (+1 212-351-4079, email@example.com)
Ryan T. Bergsieker – Denver (+1 303-298-5774, firstname.lastname@example.org)
David P. Burns – Washington, D.C. (+1 202-887-3786, email@example.com)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650-849-5203, firstname.lastname@example.org)
Nicola T. Hanna – Los Angeles (+1 213-229-7269, email@example.com)
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, firstname.lastname@example.org)
Robert K. Hur – Washington, D.C. (+1 202-887-3674, email@example.com)
Kristin A. Linsley – San Francisco (+1 415-393-8395, firstname.lastname@example.org)
H. Mark Lyon – Palo Alto (+1 650-849-5307, email@example.com)
Karl G. Nelson – Dallas (+1 214-698-3203, firstname.lastname@example.org)
Ashley Rogers – Dallas (+1 214-698-3316, email@example.com)
Deborah L. Stein – Los Angeles (+1 213-229-7164, firstname.lastname@example.org)
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, email@example.com)
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, firstname.lastname@example.org)
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, email@example.com)
Ahmed Baladi – Co-Chair, PCDI Practice, Paris (+33 (0) 1 56 43 13 00, firstname.lastname@example.org)
James A. Cox – London (+44 (0) 20 7071 4250, email@example.com)
Patrick Doris – London (+44 (0) 20 7071 4276, firstname.lastname@example.org)
Kai Gesing – Munich (+49 89 189 33-180, email@example.com)
Bernard Grinspan – Paris (+33 (0) 1 56 43 13 00, firstname.lastname@example.org)
Penny Madden – London (+44 (0) 20 7071 4226, email@example.com)
Michael Walther – Munich (+49 89 189 33-180, firstname.lastname@example.org)
Alejandro Guerrero – Brussels (+32 2 554 7218, email@example.com)
Vera Lukic – Paris (+33 (0) 1 56 43 13 00, firstname.lastname@example.org)
Sarah Wazen – London (+44 (0) 20 7071 4203, email@example.com)
Kelly Austin – Hong Kong (+852 2214 3788, firstname.lastname@example.org)
Connell O’Neill – Hong Kong (+852 2214 3812, email@example.com)
Jai S. Pathak – Singapore (+65 6507 3683, firstname.lastname@example.org)
© 2022 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.