Cyberattacks increase exponentially each year, but because of the global sanctions on Russia, there has never been more of a reason for retaliatory attacks from cyber predators. In order to preemptively protect against such attacks, in March of this year President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) as part of the omnibus spending bill. However, new laws and regulations can often pose more harm than help to organizations with leaders who fail to understand and work with them.
“[m]ost of America’s critical infrastructure is owned and operated by the private sector and critical infrastructure owners and operators must accelerate efforts to lock their digital doors.” – Joe Biden
What Is CIRCIA and Who Is Affected?
CIRCIA or Cyber Incident Reporting for Critical Infrastructure Act requires critical infrastructure companies in 16 industry sectors to report to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours when struck by a cyberattack and within 24 hours if the attack resulted in a ransomware payment to the perpetrator. These cyber incidents are defined by such factors:
- Substantial loss of confidentiality, integrity, or availability of information systems or networks.
- Serious impact on safety or resiliency of operational systems; disruption of business or industrial operations.
- Disruptions accomplished through compromises of cloud service providers, managed service providers, third-party hosting providers, or supply chains.
CIRCIA applies to industries in which their assets, systems, and networks are considered essential to the United States and their disablement would significantly weaken national security, economy, health, and/or safety. The following sectors are affected:
- Commercial facilities
- Defense Industrial Base
- Emergency Services
- Energy Services
- Financial Services
- Food and Agriculture
- Information technology
- Nuclear reactors, materials, and waste
- Water and waste systems
Why Should You Care?
As cyber threats continue to increase, CIRCIA will foster an environment where shared information will strengthen everyone’s shield against bad actors. We will be able to quickly fill in critical information gaps and understand how our adversaries target American networks and critical infrastructure. We will also quickly and efficiently deploy measures against these adversaries, and spot trends which will lead to the ability to warn potential victims ahead of time.
Furthermore, protections under CIRCIA create a landscape where reporting to CISA (and allowing the agency to share your information to other departments) is advantageous compared to reporting to other agencies.
A company which fails to respond to a request for information within 72 hours may have CISA issue a subpoena to get a response. Further action may include referral to the Department of Justice, and contempt of court proceedings. Compliance with CIRCIA regulations is not voluntary, it is mandatory.
It will take a few months for CIRCIA to come into effect, but both companies within the critical infrastructure and those that are not must begin to take precautionary actions against threats. Companies must also make sure to maintain their cybersecurity around the clock. A company that is well prepared today will be far ahead of the competition when bad actors strike tomorrow.
What We Offer
We have a full range of cybersecurity solutions to protect your business. For example, our Managed EDR solution defends all endpoints from attacks at every stage in the threat cycle. And our cybersecurity awareness training, in turn, guides your employees to employ security diligence in conjunction with sophisticated infrastructure. We also offer compliance as a service, to ensure that your organization is in compliance with every rule and regulation without necessarily having to hire full time staff who can parse through them. With these solutions in place, you can rely on us with your cybersecurity needs and more. Click here to learn more about our solutions.