Cyber Incident Reporting Act is a Milestone for Transparency in Cyber Insurance

On March 15, 2022, President Joe Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), which created new rules and requirements for businesses that experience a cyber attack.

The law requires critical infrastructure companies to notify the Cybersecurity and Infrastructure Security Agency (CISA) of significant cyber incidents within 72 hours and ransomware payments within 24 hours. The law also authorizes CISA to subpoena businesses that fail to report within the timeframe. 

CIRCIA has the potential to provide the foundation for a coordinated federal response to cyber threats, which have been on the rise globally in recent years. Much remains to be seen about the implications of this new law, but here are the key takeaways:

Colonial Pipeline Was A Tipping Point In The Ransomware Crisis

Recent events, including the ongoing Russian invasion of Ukraine and the Colonial Pipeline ransomware attack last year, were instrumental in the development of CIRCIA. President Biden has cited “evolving intelligence that the Russian Government is exploring options for potential cyberattacks” and has urged businesses in the private sector to tighten their cyber defenses. 

Before 2021, most ransomware attacks were a nuisance for private companies but had little effect on the U.S. population. Colonial Pipeline changed everything, resulting in huge spikes in gas prices across the country, theft of personal data, and a negative impact on the country’s economy.

The far-reaching effects of this singular cyber event raised awareness of the need for improved cyber security practices across all sectors, and CIRCIA is a step in the right direction. 

The Cyber Incident Reporting Act Can Help Hold Private Businesses Accountable

By strengthening CISA’s authority over private businesses and setting specific time frames for incident reporting, CIRCIA increases national cyber security accountability and paves the way for ongoing legislation.

The law also expresses the government’s intent to increase private companies’ awareness of their cyber security protocols and vulnerabilities, and it nudges businesses — even those that don’t qualify as critical infrastructure — to increase their cyber defenses.

This type of cyber reporting law isn’t unprecedented in the U.S. There are already many state laws around data breach notification, as well as regulations within specific agencies, including the TSA and SEC. Beyond that, the FBI has a reporting avenue for entities to voluntarily share information on cyber incidents, though the organization estimates that only about 25% of total cyber incidents in the U.S. are actually disclosed through this channel.

What makes CIRCIA so monumental is that it’s the first federal-level cyber security and incident reporting statute for private businesses in the U.S., establishing a national standard for transparency.

Increased Transparency Is Good For Individuals

If private businesses are required to report cyber incidents to the government within 72 hours, then this law could ultimately help ordinary consumers more quickly become aware of when their information has been breached.

Businesses have developed a bad habit of trying to privately “sort things out themselves” rather than disclosing cyber incidents. There are articles from as many as 10 years ago exposing this type of behavior. With cyber attacks increasing year over year, more individuals are likely to be affected by attacks on private companies as bad actors target both large and small businesses. 

CIRCIA only sets reporting rules for businesses considered to be critical infrastructure, and clarity is still needed on what exactly qualifies as critical infrastructure. While the passage of this law sets a precedent for cyber security accountability with a focus on national security, we can expect an additional benefit of this legislation will be more federal regulations that protect consumer data.

The Cyber Incident Reporting Act Can Empower The Cyber Insurance Industry

CIRCIA is expected to provide increased visibility into the volume and depth of cyber attacks that hit critical infrastructure businesses. CISA will publish these documented cyber incidents in unclassified, periodic reports, which could provide significant value to the cyber insurance industry.

Due to the dynamic nature of cyber risk, cyber insurers are constantly evaluating activity across the industry and adjusting accordingly based on the available data. Until now, insurers have had to rely on their own portfolios and inconsistent information available from the market in order to create risk models. While this method has been successful thus far, access to CISA reporting presents an opportunity for cyber insurers to build better-informed risk models, resulting in more accurate risk assessment at the time of quoting and more precise coverage for businesses.

Cyber carriers have made massive strides in recent years, and access to centralized data from the federal government has the potential to empower the entire cyber insurance industry by strengthening the information ecosystem and laying the foundation for better cyber security practices across private businesses.

The Success Of The Cyber Incident Reporting Act Hinges On Execution

CISA has 24 months from March 15, 2022, to propose the rules and parameters for implementation, then 18 months after that to put forth the final regulation.

CIRCIA does, however, establish some specific guidelines. In addition to setting reporting timeframes, the Act details what the critical infrastructure cyber incident reports should include: a description of any affected systems, the unauthorized access, the impact on operations, and an estimated date range of the event. Access to this information has the potential to better inform and further empower the cyber insurance industry. 

No matter how it plays out, the passage of CIRCIA has brought national attention to cyber security — and that’s a positive outcome for everyone.

Eva Kwan is Director of Claims at At-Bay. She works with insured businesses to execute litigation and settlement strategies. Previously, Kwan was the Regional Head of Cyber, Media, and Technology claims for Allianz Global Corporate & Specialty North America. She began her in-house insurance career with a Lloyd’s specialist insurer, where she handled cyber, media, and technology claims and became Assistant VP of Claims. This article was originally published on the PLUS Blog.