The Cybersecurity and Infrastructure Security Agency—part of the Department of Homeland Security—today announced a notice of proposed rulemaking to implement a 2022 law requiring financial institutions and other “critical infrastructure” businesses to report cyber incidents and ransomware payments to the department and agency.
Under the proposal, regulated financial institutions and other critical infrastructure sectors would be required to report to DHS or CISA significant cyber incidents within 72 hours as well as any ransomware payments within 24 hours. They would also be required to “promptly” fill supplemental reports if “substantial new or different information” becomes available about the incident. The reporting requirements are in addition to existing computer security incident notifications that are required to be made to financial regulators within 36 hours and a new Securities and Exchange Commission requirement for publicly traded companies to report significant cyber incidents to the public within four business days.
The proposed 450-page rulemaking by CISA would implement the Cyber Incident Reporting for Critical Infrastructure Act, or CIRCIA, of 2022, which establishes reporting requirements for several sectors of the economy, including financial services. Covered entities would be required submit CIRCIA reports through the CIRCIA Incident Reporting Form available on CISA’s website or in any other manner approved by CISA’s director.
Cyber incidents that must be reported include denial-of-service attacks that render a cover entity’s services unavailable to customers for an extended period of time, cyberattacks that encrypt one of the entity’s core business systems or information systems, unauthorized access to an entity’s business systems caused by tampered software or compromised credentials, and ransomware attacks that lock an entity out of its industrial control systems. Reports must include contact information for the entity, a description of the affected systems, the effects on the entity’s operations, and more. Ransomware payment reports must include the data and amount of the payment, among other things.