In 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). It developed out of the federal government’s perceived need to be better prepared for cybersecurity incidents that impact critical infrastructure. CIRCIA stemmed from the Columbia Pipeline ransomware incident in May of 2021 which hampered oil and gas delivery up and down the eastern seaboard. Following this incident, the U.S. Cybersecurity and Infrastructure Security and Resilience Agency (CISA) produced a number of cybersecurity toolkits and resources for members of the so-called critical infrastructure segments identified by the federal government. CIRCIA built on those tools the requirement for impacted businesses to report cybersecurity incidents (and ransomware payments) to the federal government so that such activity could be better tracked, predicted, and responded to.
Commercial Facilities are “critical infrastructure”.
As defined by CISA, critical infrastructure encompasses sixteen specific industry segments, including Commercial Facilities.
Commercial Facilities encompass large swaths of the real estate market, including places where large crowds are expected such as stadiums, amusement parks, movie theaters, shopping malls, commercial real estate (office buildings), hotels and lodging, fairgrounds, parks, and apartment complexes. The segments are broadly interpreted and intended to cover a large swath of such key infrastructure to allow for the collection of as much key information as possible.
What is required under CIRCIA?
While the final rules to be promulgated by CISA have not yet been published or finalized (draft rules were published for comment and final rules are anticipated for publishing in May of 2026 with enforcement to follow sometime after), there are two basic requirements of CIRCIA for covered entities: (1) reporting to CISA within 72 hours of reasonably believing that a “substantial” cybersecurity incident has occurred and (2) notifying CISA of the payment of any ransom within 24 hours of such a payment. Under CIRCIA, a substantial cyber incident is an incident that leads to one of the following impacts:
- Substantial loss of confidentiality, integrity, or availability of a covered entities information systems or network;
- Serious impact on the safety and resilience of a covered entity’s operational systems and processes;
- Disruption of a covered entity’s ability to engage in business or industrial operations, or deliver goods or services; or
- Unauthorized access to a covered entity’s information system or network, or any nonpublic information contained therein, that is facilitated through or caused by a:
- Compromise of a cloud services provider, managed service provider, or other third-party data hosting provider; or
- Supply chain compromise.
In reporting incidents, the final rules will specify the manner of reporting as well as the information that needs to be provided, but, the legislation makes clear that reports will need to be supplemented to update reported information on an ongoing basis. In addition to reporting, covered entities who report a cybersecurity incident are required to maintain records and data relating to the incident. These retention requirements will be detailed in the final rules next year. While penalties for noncompliance are anticipated, those penalties have not yet been provided and will be part of the final rule making.
What is needed to comply?
While the requirements of CIRCIA on its face are not terribly complex or burdensome, it is the processes and procedures that will necessarily need to be in place to meet these requirements that will be the real issue with the rules. In order to quickly and adequately meet the requirements of CIRCIA, at a minimum, covered entities in a critical infrastructure segment will need to have systems and processes in place to identify cybersecurity incidents. This goes beyond mere IT system monitoring. Determining whether an incident is a significant cybersecurity incident that triggers reporting requires more than mere IT notice and it is advisable that covered entities have a breach attorney, familiar with CIRCIA and other regulations, on hand to advise on potential reporting needs. It is also advisable for covered entities to know the sorts of information they have in their IT system and where it is located, so that if an incident impacts a particular server, system, or database, they know what information was likely impacted. This requires data mapping and an investment in investigating an organization’s data collection, use, storage, and data life cycles by taking a data inventory that allows for the speedy decision making and notice required by this and other regulations. Covered entities are likely to need an incident response plan (not just a mere document), but a tested, updated, and functioning process in place that specifies how the organization responds to security incidents of all types in a quick, efficient, and effective manner and, most importantly, who within and outside the organization, is responsible for determining what reporting requirements are necessary and to whom they must be made.
Cybersecurity incidents can trigger a host of statutory and regulatory notice requirements. These requirements come with increasingly strict and shorter deadlines. Covered entities will not have the luxury of completing a full investigation or waiting for all available information to be analyzed before determining whether notice under CIRCIA, other federal regulations (HIPAA, GLBA, etc.), state laws, or administrative agency regulations are required. To meet these requirements, covered entities would do well to consult with attorneys knowledgeable about responding to cybersecurity incidents and meeting these regulatory requirements to help them make sure that the covered entity has the internal processes and procedures in place for identifying cybersecurity incidents, collecting information about their impact, and determining whether and to whom notice may be required.
This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that publications are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.