A new law makes critical infrastructure industries like insurance and tech more responsible for reporting and responding to cybercrime.
March 15, 2022, President Joseph (Robinette) Biden signed the Consolidated Appropriations Act 2022 into law. While the omnibus legislation touches a number of areas, one point of interest for those in insurance is new cybersecurity reporting requirements for critical infrastructure business.
Critical infrastructure, according to the Cybersecurity & Infrastructure Security Agency (CISA), includes the chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services; energy; financial services; food and agriculture; government facilities; healthcare and public health; information technology; nuclear reactors, materials, and waste; transportation systems; and water and wastewater systems sectors. And, if you were in any doubt, financial services definitely includes insurance.
Before we dive into what this regulation is, what it does, and what it means for those of us working in insurance, or tech, or both, keep in mind a few things:
- This is a new territory of regulation
- You’re responsible for your own due diligence
- We put the fun in funky and we’re curious as a rule
- We’re also not your lawyers; our description of this regulation and key takeaways are not a substitute for legal advice and are intended for informational purposes only
- The content you are about to read is a summary of our own analysis of the regulation, any resources leveraged are credited to the source, as applicable; however, if any credited information is incomplete or in error, please email us so we can correct the error.
Why the Cyber Incident Reporting for Critical Infrastructure Act of 2022?
Several other versions of cybersecurity infrastructure bills are held up in the House and Senate, but lack consensus from both parties. Cyber infrastructure is a growing issue of concern as companies across all sectors struggle with analogue breaches, digital hacks, and ransomware; it’s certainly no surprise this joined the broader cohort of insurance-adjacent laws from this session.
Some of these incidents have been widely public, affecting oil supplies or water infrastructure in a way that can’t be ignored. Others have gone unnoticed, with consumers waiting years to find out their personal identifying data has been compromised.
Related: Washington State License Data Breach Renews Attention on Cybersecurity Concerns
For decades, various businesses and industries have operated in silos regarding cybersecurity. No one wants to admit vulnerabilities, or make it public that they paid a ransom to a hacker. Headline and reputational risks ruled. The result has been:
- Little incentive for businesses to proactively prevent an attack and no accountability other than market force for protecting user data
- Slow and inadequate responses when breaches occur
- Cyberattacks are seen as one-off events, making it harder for law enforcement to investigate coordinated networks of hackers and digital hostage-takers
Ultimately, stakeholders across the political gamut recognize the current atmosphere only encourages cybercriminals. Additionally, it’s negligent to talk about the climate of cybercrime without mentioning the Russian war on Ukraine. As part of the war, Russia – which has sheltered the largest networks of cybercriminals for some time now – has stepped up its malware efforts. Instead of ransoming data, Russian criminals are much more likely to take a scorched-earth approach to data breaches, severing an organization’s ability to recover and assess its data.
U.S. concerns about Russian hackattacks are now so great they have overcome our political inertia to shore up cyber defenses in every corner of critical infrastructure.
Even before Russia invaded Ukraine, we knew digital security was on the political palate; the Biden Administration’s earlier cybersecurity summit also pushed the responsibility of insurers to increase pressure on insureds to focus on preventative measures.
What regulations does this federal regulation place on the financial and technology sectors?
The central focus of the Cyber Incident Reporting regulation is in breaking the cycle of secrecy around cyberattacks by mandating required reporting.
The concrete requirements are for any of the businesses subject to the act to report any “anomalous” cyber events to CISA:
- Within 72 hours of an incident, the organization has to report an event to CISA
- Within 24 hours of paying a ransom, the organization has to report the ransom payment
- Following similar timelines, an organization has to submit supplemental reports to CISA as their knowledge of the attack, how it happened, and how they are handling it evolves
- Supplemental reports are expected to be reported until the organization notifies CISA that they have definitively resolved the situation
- The organization is required to preserve relevant data for federal review in the aftermath of any breaches
What information do insurance and other institutions have to include in their cyber reports?
A report of a breach, hack, attack, or other anomalous event, according to the new law, requires as much information as is possible in the following categories. Before you get defensive, the legislation makes clear that the information in these reports will be used only by federal law enforcement, and that it’s not subject to Freedom of Information Act requests. If CISA shares the information in any public way, it will be in an aggregate and anonymized form.
Basic information outlined in a CISA incident report (which you can submit to report@cisa.gov or (888) 282-0870) includes:
A description of the incident, complete with the identification of what systems were compromised and what they do, a description of the unauthorized access, the date range of the incident, and a description of the impact to the operations of the business or organization.
A description of the system vulnerabilities and whatever procedures or exploitations the perpetrator used. Basically, a “how did this happen?” report.
Contact information for those responsible (if available) – if you’re scratching your head, thinking “oh yeah, hackers are just going to give you their number,” remember many of them do just that, pretending to be remote software support.
Categories of information accessed by the unauthorized user. Whether they got into your business’s social media accounts, mucked with your underwriting data, or made off with Social Security numbers, the fed wants to know.
Name and other identifying information of the affected entity as well as information about location, DBAs, and trademarks.
Contact information for the affected entity, so the government can reliably maintain an effective stream of communications about the incident.
Ransomware attacks
A ransomware attack report has essentially the same information as any other incident report, but also includes information specific to the ransom payment:
- Contact for the entity paying the ransom and any third-party institutions (like your bank or a wire or crypto exchange)
- Contact information for the ransomer
- Date of ransom payment
- Payment demands including payment amount and type
- Ransom instructions such as where and how to pay
Implementing the Cyber Incident Reporting Act
For companies that pretend they’ve never heard of this law (or even for those who legitimately are ignorant), this one has a few teeth. The CISA director has the power to subpoena organizations that are suspected of having cyberbreaches or ransom incidents and that failed to report them. From combing through your internal data to referring you to the U.S. Attorney General, the process could be quite uncomfortable compared to the drudge of filing a confidential cyber report upfront.
Among other things, this law also outlines a timeline for the creation of:
- A Cyber Incident Reporting Council with members from various government agencies tasked with coordinating, deconflicting, and harmonizing federal incident reporting requirements
- A Ransomware Vulnerability Warning Pilot Program that will establish best practices for preventing ransomware threats by assessing key vulnerabilities in American tech infrastructure.
- A Ransomware Threat Mitigation task force with Federal Bureau of Investigation, National Security Agency, and Attorney General Office members that will identify opportunities to proactively attack ransomware threats and look for opportunities for national coordination against cyberthreats.
And, of course, everyone associated with these task forces and pilot programs will report to Congress, as well. So, success is all but guaranteed, right?
The future of cybersecurity in insurance
Frankly this legislation is a few years behind the leading edge of cyberthreats faced by the insurance and other industries. And, while cyberinsurance is quickly reforming itself around best practices like multi-factor authentication and zero-trust architecture, many insurers themselves lack these protections for their own on-the-ground workforce tech.
Many cybersecurity firms are predicting the legislation will drive investments in security tech for insurers, producers, and everyone in between, as well as pushing more concentrated hiring for tech-specific positions like chief technology officers (CTOs), and giving existing CTOs bigger budgets and more headway within an organization.
As they turn toward digital security, insurance industry organizations would do well to remember they’re only as strong as their weakest link, and that includes third-party partners. The future is only going to get more risk-averse, in all areas of the business.
To see how AgentSync can limit your risks – both as a producer licensing tool and as a partner built on zero-trust architecture – check out our demo.