The clock is ticking. At the start of 2025, many businesses will be required to follow new cybersecurity reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA).
These requirements will apply to all entities operating within 16 critical infrastructures defined by the Cybersecurity & Infrastructure Security Agency (CISA). Failure to comply could result in penalties.
What counts as critical infrastructure?
According to CISA, a critical infrastructure sector has “assets, systems and networks, whether physical or virtual, [that] are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”
Critical infrastructure entities include those operating in these arenas:
- Chemical sector
- Commercial facilities
- Communications
- Critical manufacturing
- Dams
- Defense industrial base
- Emergency services
- Energy
- Financial services
- Food and agriculture
- Government services and facilities
- Health care and public health
- Information technology
- Nuclear reactors, materials and waste
- Transportation systems
- Water and wastewater
A swath of businesses and government entities across the American economy will be impacted. If just one part of your organization operates or provides critical services in any of these sectors, your entire organization will be expected to follow the cyber guidelines. That’s even if your primary business is outside the 16 sectors.
If you’re uncertain of your classification, your Rathbun account manager can help you work through CISA’s “covered entity” decision tree. This can help you determine if CIRCIA reporting rules will apply to your organization.
The new rules
Under the new rules, any entity operating within one of the critical infrastructures listed above must report all significant cybersecurity incidents and ransomware payments to CISA.
The requirements were introduced in CIRCIA, and organizations had until July 3, 2024, to submit their comments about the act as initially written. Until those comments are reviewed and any subsequent changes are approved, the law won’t be official. Still, the final outcome is expected to include two general parameters. Covered entities must:
- Inform CISA of any significant cyber incidents within 72 hours
- Reveal ransomware payments to CISA within 24 hours.
Applicable businesses and government should begin following all basic guidelines of the proposed law even before the final rule is adopted.
What’s considered “significant”?
Your organization likely faced some type of cyber threat today. It probably did yesterday and will again tomorrow as well. But more routine threats, like phishing emails or malware-infected links, are not the target of CIRCIA. While they may disrupt your organization, they don’t pose a significant threat to infrastructure. In other words, they are unlikely to take down an entire sector.
CIRCIA requires reporting on only what it considers a “significant” or “substantial” cyber incident. To qualify, all of these factors must be true:
- Your organization must have operations in at least one critical infrastructure sector (even if it’s not the one involved in the cyber incident).
- The compromise must lead to at least one of the following:
- Substantial loss of confidentiality or data/system integrity
- Serious impact on the safety and resilience of your operational systems and processes
- Disruption of your operations or ability to deliver goods or services
- Unauthorized access to your information system, network or nonpublic information caused by a supply chain compromise or breach of a cloud service provider, managed service provider, or other third-party provider that hosts data
- The security incident must not just threaten, but actually cause one of the impacts, disruptions or losses listed above.
Why the law is needed
Critical infrastructure sectors worldwide face an almost constant threat of cyber attack. In 2023 alone, there were more than 420 million incidents, or 13 per second, according to Forescout Research – Vedere Labs. That’s a 30% increase over 2022 levels. Better data can help change that trend.
CIRCIA is not intended to put a spotlight on cyber victims or publicly shame organizations that fall prey to cybercriminals. The act specifies that any data collected from submitted reports cannot be used for regulatory enforcement.
Rather, CIRCIA’s intent is instead to improve awareness and understanding of ongoing and evolving threats. It has four goals.
- CISA and the cybersecurity community at large, including researchers, hardware and software developers, and IT departments, will be able to develop more appropriate responses to threats.
- Windows of opportunity will shrink for cybercriminals.
- CISA will be able to quickly deliver more targeted support to cybercrime victims.
- Educational materials will evolve in real time to minimize the number of additional attacks.
Who will know about your incident reports?
All incident reports are considered confidential. There won’t be a CIRCIA database that people can peruse to find your organization. However, information in your report can be obtained via subpoena or a Freedom of Information Act request, so your organization is not shielded from all potential actions.
Reporting is to your advantage
The most obvious reason for following the CIRCIA guidelines is that failure to comply could result in a subpoena, suspension or exclusion from government contracts.
More important are the advantages of reporting. It may hasten the speed of support services available through CISA. It may prevent a subsequent attack. And it will improve the collective knowledge of cybercrime tactics and give critical infrastructure a better counterplan for protection. Insurers use federal mandates as a guideline for underwriting coverage, so the better your cyber hygiene, the better your terms and pricing for cyber insurance will be.
The importance of cyber insurance
Discuss appropriate cyber liability coverage with your Rathbun Insurance account manager. All organizations connected to the internet need cyber liability insurance. You may need directors and officers liability insurance as well. Your insurance agent or broker can help you craft a well-rounded set of policies. This will help ensure you’re protected if a breach leads to claims against your organization.