In March 2022, the Biden Administration signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This landmark legislation tasks the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments.

The CIRCIA incident reports are meant to enable CISA to:

• Rapidly deploy resources and render assistance to victims suffering attacks
• Analyze incoming reporting across sectors to spot trends
• Quickly share information with network defenders to warn other potential victims

As they say, the devil is in the details. In early April, the 447-page Notice of Proposed Rulemaking (NPRM) was published by CISA in response to its responsibilities mandated by CIRCIA. The document is now open for public feedback through the Federal Register.

Considering CIRCIA and its newly published NPRM, what might incident reporting for ransomware attacks look like in the future? Let’s find out.

How does CISA define ransomware?

As per CISA, “Ransomware is an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption.”

Ransomware groups often target and threaten to sell or leak stolen data or authentication information if the ransom is not paid. Ransomware attacks have become increasingly prevalent among state, local, tribal and territorial (SLTT) government entities and critical infrastructure organizations.

How might incident reporting for ransomware differ from other attacks?

CISA’s NPRM proposes four types of impacts that would result in an incident being classified as a substantial cyber incident and, therefore, reportable. The four types of impact include:

• Impact 1: Substantial Loss of Confidentiality, Integrity, or Availability
• Impact 2: Serious Impact on Safety and Resiliency of Operational Systems and Processes
• Impact 3: Disruption of Ability to Engage in Business or Industrial Operations
• Impact 4: Unauthorized Access Facilitated Through or Caused by a: (1) Compromise of a CSP, Managed Service Provider or Other Third-Party Data Hosting Provider, or (2) Supply Chain Compromise

CISA is further proposing that substantial cyber incidents include any incident regardless of cause — whether or not ransomware is involved. These could be a compromise of a cloud service provider, managed service provider or other third-party data hosting provider; a supply chain compromise; a denial-of-service attack; a ransomware attack; or exploitation of a zero-day vulnerability.

CIRCIA requires covered entities to report to CISA any covered cyber incidents within 72 hours after the entity reasonably believes that the covered cyber incident has occurred.

Meanwhile, ransom payments made in response to a ransomware attack must be reported within 24 hours after the ransom payment has been made. Clearly, CIRCIA places ransomware as a reporting priority.

What are the steps to follow for ransomware reporting?

As far as ransomware reporting is concerned, CISA’s NPRM outlines four steps:

1. A covered entity that experiences a covered cyber incident must report that incident to CISA.
2. A covered entity that makes a ransom payment as the result of a ransomware attack must report that payment to CISA.
3. Until a covered entity notifies CISA that the covered cyber incident in question has concluded and been fully mitigated and resolved, a covered entity must submit an update or supplement to a previously submitted report on a covered cyber incident if substantial new or different information becomes available.
4. A covered entity must submit an update or supplement to a previously submitted report on a covered cyber incident if the covered entity makes a ransom payment after submitting a Covered Cyber Incident Report.

CISA also explains that time doesn’t exclude reporting. For example, let’s say your company discovers that it experienced a cyber incident two years ago, and the incident is ongoing. You would still be required to submit a Covered Cyber Incident Report under the proposed rule because the incident has not concluded and has not been fully mitigated and resolved.

What exceptions exist when reporting a cyber incident to CISA?

As per CISA, reportable incidents exclude “any event where the cyber incident is perpetrated in good faith by an entity in response to a specific request by the owner or operator of the information system.”

What exactly are “good faith” scenarios? It could be a third-party service provider acting within the parameters of a contract that unintentionally misconfigured a company’s devices, leading to a service outage. Another example would be a properly authorized penetration test that inadvertently results in a cyber incident with actual impacts.

Other good faith exclusions could be incidents related to security research testing. Researchers may have been authorized to attempt to compromise systems, such as in accordance with a vulnerability disclosure policy or bug bounty programs. That being said, CISA anticipates that these exemptions would rarely occur. Good faith security research generally stops at the point where the vulnerability can be demonstrated and should not typically result in an actual impactful incident.

Intentional shutdown not exempt if ransomware involved

In some cases, a covered entity, in response to genuine ransomware or other malicious incident, might decide to take action against itself, resulting in reportable level impacts, such as shutting down systems or operations. For example, a Ransomware-as-a-Service attack victim might do this to prevent a wider impact due to a cyberattack. This scenario is still considered to be a reportable substantial cyber incident.

In such a case, the incident itself was not perpetrated in good faith, and the threshold level impacts would not have occurred if there had been no attack. Therefore, CISA would not consider the covered entity’s actions to meet the “good faith” exception. Clearly, the covered entity intentionally triggered an impactful event (e.g., taking systems offline) in an attempt to minimize the potential damage of a cyber incident. However, this kind of activity would not be exempt from reporting requirements.

Ongoing conversation

The discussion about ransomware reporting requirements is ongoing. And when even entities with robust cyber resilience are at risk, the final conclusions of CIRCIA will be on everyone’s radar.