The new Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) may have significant operational impacts, and transactional attorneys should be aware of how the law could affect their work with risk mitigation, delegation of duties, and data retention related to cloud and IT service contracts.
Passed via the government spending bill signed by President Biden last week, CIRCIA tasks the Cybersecurity and Infrastructure Security Agency (CISA) with issuing regulations specifying the types of cyber incidents that covered entities across 16 critical infrastructure sectors will have to report within 72 hours.
CISA’s pending regulations will take time to finalize, despite elevated threats of Russian-sponsored cyberattacks. Even so, they could accelerate the cross-industry adoption of cybersecurity notification procedures, and some entities, such as utilities less accustomed to complex information-sharing practices, will need to develop new processes quickly.
The table below summarizes CIRCIA provisions that may be relevant to cloud and other service provider agreements that carry cyber risks.
To enlarge this image, click here.
Three key transactional takeaways can be gleaned from these provisions:
1. Covered cyber incidents will include business disruptions stemming from a compromised service provider. Companies subject to CIRCIA may wish to leverage contract clauses governing audits, disaster recovery, indemnification, and insurance to prevent and mitigate fallout from provider-related disruptions, as CIRCIA’s liability protections only cover the disclosure of incident reports—not other liabilities that may arise from the incident.
2. Covered entities may delegate reporting duties, but remain responsible for compliance. Cloud and IT service contracts often contain incident response procedures, which can spell out deadlines and the customer’s right to review external communications.
3. Covered entities must preserve relevant data, with allowable uses of such data to be defined by CISA. Service providers frequently handle data that could end up being relevant to a cyberattack. To help solve for this, agreements can provide data usage, preservation, and retention requirements that survive contract termination.
As for CIRCIA’s requirements for reporting ransomware payments, that’s an area already rife with thorny compliance issues—and one deserving of its own separate analysis.
Bloomberg Law subscribers can find guidance on drafting cyber incident reporting clauses, data breach indemnification provisions, and other cyber risk-related contract language in the Data Management module of our Practical Guidance: Information Technology Agreements page.
If you’re reading this on the Bloomberg Terminal, please run BLAW OUT <GO> in order to access the hyperlinked content, or click here to view the web version of this article.