On March 1, 2022, Congress passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the Act), which requires covered entities to report certain cyber incidents. The Act requires covered entities that experience a covered cyber incident to report the incident to the Cybersecurity and Infrastructure Security Agency (CISA) no later than 72 hours after the covered entity reasonably believes that the covered cyber incident has occurred.
These requirements are meant to provide greater cybersecurity visibility for the federal government. The requirements will go into effect once the rule is published in the Federal Register, after going through the formal rulemaking process.
An entity will be covered by and required to report under this Act if it is in a critical infrastructure section. An infrastructure system or asset is critical if it is vital to the United States that its incapacity or destruction would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.
In addition, a covered entity that makes a ransom payment as the result of a ransomware attack against must report the payment to the CISA no later than 24 hours after the ransom payment has been made. This requirement applies even if the ransomware attack is not a covered cyber incident subject to the 72-hour reporting requirement.
The Act requirements do not apply to covered entities or their functions if the CISA determines they constitute critical infrastructure owned, operated or governed by multi-stakeholder organizations.
Covered entities should review the Act’s requirements and continue to monitor the Federal Register for an update on the Act’s effective date.
|
This Legal Update is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel for legal advice. ©2022 All rights reserved.
|
Insurance services provided by Granite Insurance Brokers and its licensed agents and affiliates. The information contained within these materials are confidential and not to be distributed. Descriptions are general in nature only. Please refer to the terms and conditions of policies offered or purchased. Insurance products are subject to application and underwriting requirements. Pricing depends on a variety of factors including policyholder location. Not all discounts available in all states. Not all products available in all states. Use of and access to this information, site or any of the links contained within this site does not create a relationship between the user and Granite. © 2025 Granite Insurance Brokers, Inc. All Rights Reserved.
