Cyber incident reporting for critical infrastructure: Implications for boards

In March 2024, the Cybersecurity and Infrastructure Security Agency released a nearly 450-page draft of a reporting rule as part of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) that, if approved, would impact over 300,000 entities in the United States. Failure to comply with CIRCIA’s reporting requirements could result in subpoenas, and for those companies that do business with the federal government, they could be suspended from federal contracts.

The reporting rule pursues the laudable goal of gathering potentially useful information that can assist first responders and government officials in improving cybersecurity. However, adhering to this rule could theoretically expose companies and their boards to liability, even though the Freedom of Information Act protects disclosed information, and any disclosed information cannot be used in lawsuits. Indeed, even though government officials may not be permitted to use the disclosed information in litigation, they could theoretically use that information as a roadmap to investigate the company to ultimately obtain the same data. This is a critical weakness of this proposed rule.

The rule is expected to go into effect in 2026, providing boards some time to consider their legal and cyber implications.

Understanding the new reporting rule

In March 2022, President Biden signed CIRCIA into law. CISA issued a notice of proposed rulemaking on March 27, 2024 to implement CIRCIA and expects to publish the final rule by late 2025. Reporting under the new amendment is scheduled to begin in 2026.

This rule requires companies to report a covered cyber incident to CISA within 72 hours (and 24 hours for a ransom payment) so that the Agency can effectively “assess the effectiveness of and identify tactics, techniques and procedures adversaries use to overcome those controls.” It is not intended to mire companies with cumbersome red tape. Rather, it aims to help CISA identify threats as they happen, help victims, alert affected parties, and, ultimately, preserve national security. This rule would support CIRCIA’s mandate of protecting U.S. national security interests and mitigating or preventing similar future threats. Timely reporting of such events would facilitate inter-agency data sharing and help build a repository of this type of intelligence that would greatly assist first responders and public officials in responding to future cyberattacks while also helping decision-makers allocate resources where they are needed most.

CIRCIA considers IT and operational technology (OT) critical environments, given their impacts on national security, public health and safety. Including IT and OT in the reporting rules underlines the broad and significant implications of cybersecurity across digital and physical assets managed by an entity.

As written, the rule seeks information that includes:

• technical details of the incident,
• categories of information believed to have been accessed or acquired,
• vulnerabilities exploited,
• the entity’s security protocols,
• the incident’s impact on operations,
• indicators of compromise,
• identifying information about the attacker, and
• identification of any law enforcement responding to the incident.

Ransomware reports also require information on the payment demand, amount and type of assets used in the payment, recipient identity, virtual currency address, transaction identifier and payment outcome.

Legal considerations

Complying with these new reporting requirements and existing data protection laws will be challenging. Publicly traded companies must also consider the implications of cyber incidents on their disclosures to investors. The Securities and Exchange Commission requires that material risks and incidents are disclosed, which could lead to scrutiny regarding the adequacy of previous risk disclosures.

Tearline reporting to mitigate cyber threats

Meeting the new rapid disclosure requirements will require companies to establish plans that enable coordination with cyber threat intelligence firms that integrate cyber threat intelligence directly into their operational framework. This synergistic approach would permit all parties to understand and act upon cyberthreats while still meeting disclosure requirements.

First, intelligence should go through the organization’s internal compliance and reporting structures. This internal processing permits an organization to maintain a controlled flow of information while safeguarding timely and compliant disclosures. However, companies should consult with counsel to avoid accidental disclosure of confidential or proprietary information.

As a method of providing intelligence reports with certain sensitive information excluded, tearline reporting allows for wider sharing of important information without disclosing sensitive details. Establishing effective tearline reporting systems maximizes transparency and cooperation while also securing other sensitive information that may not need to be disclosed.

As always, the challenge is striking the right balance between bolstering overall security and preventing the exploitation of sensitive disclosed information. Boards can work with cyber threat intelligence firms to generate tearline reporting for downgraded or sanitized reports that can be shared with the government. Tearline reporting empowers companies to comply with the applicable rules while minimizing the downside risk of litigation. Given the proposed rule’s short turnaround time — as rapid as 24 hours — companies need to have a tearline reporting plan ready to go at a moment’s notice.

Cyber threat intel assists in the response

CIRCIA emphasizes that cybersecurity of critical infrastructure is a shared responsibility. The proposed rule does not dictate how entities mitigate cybersecurity risks but does require organizations to be clear about their cyber risks and the impacts of an incident. This is critical to determining what incidents must be reported. For CIRCIA to reach its intended goal, entities must operationalize intelligence to protect themselves.

Effective operationalized threat intelligence is comprehensive, proactive, holistic, consistent and can reduce a company’s risk exposure. Without operationalized intelligence, an entity risks being the weak link in the nation’s critical infrastructure system.

A fully operationalized threat intelligence program should be two-pronged, with one focusing on protecting and proactively responding to risk, the other focusing on communications strategies.

Elements of a robust and operational intelligence risk mitigation program include:

• identifying system exposure, particularly across the attack surface;
• anticipating adversaries’ attack strategies;
• enhancing regulatory compliance;
• guiding investment in security; and
• hunting threats and proactively responding to cyber threats to communicate risk.

Communications strategies can include the following:

• educating and preparing the board,
• building stakeholder confidence, and
• enhancing public relations and communication.

Incorporating the foregoing fortifies defenses against future attacks while positioning companies to respond more nimbly to incidents and facilitating compliance with regulatory requirements.

Security and risk use-cases

Boards and security leadership must adopt a common language concerning security, risk and intelligence and consider multiple issues, such as third-party vendor and supplier risk, prioritization of vulnerability patches, and support for incident management. Maintaining executive-level awareness and providing decision support is paramount to success. Access to intelligence can support many of these common security and risk-use cases, which are often universally relevant to the enterprise. This, in turn, can inform various aspects of business operations, while aligning technology and service offerings will ensure effective communication and implementation of security strategies.

External counsel can guide boards on how to determine what information stays confidential and what may be appropriate to disclose. Should litigation arise in the aftermath of a cyberattack, external counsel can manage the information that might be subject to discovery. Companies and board members should utilize external counsel to maximize their legal protections, including by ascertaining whether certain information may be protected from disclosure as privileged.

Jason Passwaters is the Chief Executive Officer of Intel 471, a leading provider of cyber threat intelligence solutions, and formerly served in the United States Marine Corps.

Michael Richter is an attorney and leads the litigation department at the law firm of Grant Herrmann Schwartz & Klinger, and previously served as an intelligence officer at the Defense Intelligence Agency and the Office of the Director of National Intelligence.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.