Skip to main content

Water, Commercial Companies Face More Urgent Reporting of Hacks 

Utilities, businesses to report breaches in 72 hours, ransom in 24 hours

By Maria Curi | March 14, 2022 

Water utilities, casinos, and shopping malls would have to beef up their cybersecurity operations to comply with hack reporting requirements set to become law as soon this week.

Cybersecurity reporting rules passed in a government funding bill (H.R. 2471) March 10 would encompass a broad range of businesses in 16 critical infrastructure sectors. Companies would have 72 hours to report a hack, and 24 hours to report a ransomware payment to the government, once rules are in place.

“A 72-hour reporting requirement is often a challenge for even large and well-resourced organizations,” said Jim McKenney, practice director for industrials and operational technologies at NCC Group, a security consultancy. For industries such as commercial facilities or water systems, it will be a lot more work to prepare, as they aren’t already highly regulated and lack resources, cyber experts said.

The reporting requirements were pulled from Gary Peters‘s (D-Mich.) Senate-passed Strengthening American Cybersecurity Act (S. 3600), and have broad bipartisan backing.

“More often than not, there is no critical aspect to the commercial sector,” said Kevin Gonzalez, security director at the cybersecurity detection firm Anvilogic. That includes shopping malls, casinos, and amusement parks.

Utilities in ‘Own Boats’

Cybersecurity regulations among the water systems are splintered at the local level, varying across the country. Lacking a centralized standard will make it more difficult for operators to change and test their incident responses to comply with the new federal reporting requirements, cyber professionals said. 

“Each operator is rowing their own boat and are woefully understaffed,” said Padraic O’Reilly, cofounder of cybersecurity risk firm CyberSaint.

Tens of thousands of operations are fragmented across the country, said Kristina Surfus, managing director of government affairs at the National Association of Clean Water Agencies.

“The majority of these systems are small, rural, and under-resourced in many cases. So those are the ones that I think will probably struggle the most,” Surfus said. 

Businesses would have some time to prepare before the rules take effect. The Cybersecurity and Infrastructure Security Agency would be required to publish a notice of proposed rulemaking within 24 months of the spending bill’s enactment, and a final rule 18 months after that. Not all companies will be subjected to the requirements as CISA will ultimately decide a final list of covered entities based on the likelihood and effects of disruption through a cyberattack.

“Reporting an attack within 72 hours requires a robust and mature process that is exercised on a regular basis,” McKenney said. Operators can practice responding to incidents to determine the effectiveness of the cybersecurity measures they have in place and which new ones to make priorities, McKenney said. “This will improve capabilities to reliably detect, respond to, and report incidents within 72 hours.” 


Summary of Cyber Incident Reporting Language in Omnibus

Reporting Requirements: Owners of critical infrastructure would have to report to Homeland Security Department’s Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of becoming aware of experiencing a substantial cyber incident, or within 24 hours of making a payment in response to a ransomware attack. Covered entities would have to update reports if substantial new information becomes available.

The requirements would take effect after CISA adopts rules to implement them. The agency would have to publish a notice of proposed rulemaking within 24 months of the bill’s enactment and a final rule 18 months after that. 

The rules would include:

  • Which types of entities are subject to the requirement, based on the likelihood and effects of disruption through a cyberattack.
  • Which types of incidents must be reported, including those that lead to a substantial loss of availability of an information system or a disruption of business operations.
  • The contents required to be included in reports, such as information on the attack and exploited vulnerabilities, the identity of those reasonably believed to be responsible, and the types of information compromised.

Entities could voluntarily report additional cyber incidents or ransom payments that aren’t required under the measure but could “enhance the situational awareness of cyber threats.”

CISA would be allowed to request information from entities that don’t provide required reports and could issue subpoenas to those that don’t respond. Further noncompliance could be referred to the Justice Department for contempt of court proceedings. Enforcement proceedings couldn’t be brought against governmental entities.

The reporting requirement wouldn’t apply to entities that report the same information to another federal agency on similar timelines under federal law, regulations, or contracts if the agency has an agreement with CISA to share information. The bill would direct all federal agencies to forward reports to CISA within 24 hours of receiving them.

Organizations that manage policies concerning the Domain Name System — which facilitates internet navigation by translating website names into internet protocol (IP) addresses — would also be exempt. 

Information provided in reports could be shared by CISA only for cybersecurity purposes or to address specific threats of harm to individuals. It would be exempt from disclosure under public records laws and couldn’t be used for regulatory enforcement actions unless it was also obtained through other processes. CISA also would have to make victims’ information anonymous when sharing information with nonfederal entities.