Bloomberg Law
Free Newsletter Sign Up
Bloomberg Law
Advanced Search Go
Free Newsletter Sign Up

Water, Commercial Companies Face More Urgent Reporting of Hacks

March 14, 2022, 9:00 AM

Water utilities, casinos, and shopping malls would have to beef up their cybersecurity operations to comply with hack reporting requirements set to become law as soon this week.

Cybersecurity reporting rules passed in a government funding bill (H.R. 2471) March 10 would encompass a broad range of businesses in 16 critical infrastructure sectors. Companies would have 72 hours to report a hack, and 24 hours to report a ransomware payment to the government, once rules are in place.

A man types on a laptop computer in an arranged photograph taken in Tiskilwa, Ill., in 2015.
Photographer: Daniel Acker/Bloomberg

“A 72-hour reporting requirement is often a challenge for even large and well-resourced organizations,” said Jim McKenney, practice director for industrials and operational technologies at NCC Group, a security consultancy. For industries such as commercial facilities or water systems, it will be a lot more work to prepare, as they aren’t already highly regulated and lack resources, cyber experts said.

The reporting requirements were pulled from Gary Peters‘s (D-Mich.) Senate-passed Strengthening American Cybersecurity Act (S. 3600), and have broad bipartisan backing.

BGOV Bill Summary: S. 3600, Federal Cybersecurity Package

“More often than not, there is no critical aspect to the commercial sector,” said Kevin Gonzalez, security director at the cybersecurity detection firm Anvilogic. That includes shopping malls, casinos, and amusement parks.

Utilities in ‘Own Boats’

Cybersecurity regulations among the water systems are splintered at the local level, varying across the country. Lacking a centralized standard will make it more difficult for operators to change and test their incident responses to comply with the new federal reporting requirements, cyber professionals said.

“Each operator is rowing their own boat and are woefully understaffed,” said Padraic O’Reilly, cofounder of cybersecurity risk firm CyberSaint.

Russian Cyber Threats Prompt Water Systems to Prepare for Hacks

Tens of thousands of operations are fragmented across the country, said Kristina Surfus, managing director of government affairs at the National Association of Clean Water Agencies.

“The majority of these systems are small, rural, and under-resourced in many cases. So those are the ones that I think will probably struggle the most,” Surfus said.

Businesses would have some time to prepare before the rules take effect. The Cybersecurity and Infrastructure Security Agency would be required to publish a notice of proposed rulemaking within 24 months of the spending bill’s enactment, and a final rule 18 months after that. Not all companies will be subjected to the requirements as CISA will ultimately decide a final list of covered entities based on the likelihood and effects of disruption through a cyberattack.

“Reporting an attack within 72 hours requires a robust and mature process that is exercised on a regular basis,” McKenney said. Operators can practice responding to incidents to determine the effectiveness of the cybersecurity measures they have in place and which new ones to make priorities, McKenney said. “This will improve capabilities to reliably detect, respond to, and report incidents within 72 hours.”

Regulated Sectors

In contrast, companies in highly regulated businesses, such as financial services and health care, will be better equipped to handle the new rules, cyber professionals said. A government contract with such companies also will already be subject to robust cyber regulations.

The Gramm-Leach-Bliley Act (Public Law 106–102), enforced by the Federal Trade Commission, requires companies such as banks and brokerage firms to explain to customers their information-sharing practices and to safeguard sensitive data. The act is one of dozens of domestic and international cybersecurity standards financial services firms must adhere to, O’Reilly said.

O’Reilly worked with the Bank Policy Institute, an industry lobbying and advocacy group, to help harmonize the sector’s standards with a cybersecurity framework.

“Money talks,” Anvilogi’s Gonzalez said about such companies. “So they will have more controls enforced and more auditing in place, which will help ensure they’re up to par to identify and report incidents.”

In addition to having robust internal resources, financial companies also tend to have cybersecurity insurance that comes with external cyber professionals ready to help respond to incidents, particularly with very large ransomware attacks, Gonzalez said.

Financial Firms Poised for Worse Cyber Threats After Trying Year

Cyber professionals also said communications businesses would be better prepared for the new rules.

Eric Wenger, the senior director for technology policy at Cisco Systems Inc., said the information technology company is already used to adhering to a 72-hour reporting requirement when doing transatlantic business in Europe. The requirement falls under the General Data Protection Regulation, the European Union’s law on data protection and privacy.

“Having a separate, shorter deadline for ransom payment reporting is a novel idea,” compared with the 72-hour reporting requirement, Wenger added. “But it’s one that makes sense given that the requirement has a clear trigger—transmitting funds. Other cyber incidents require longer periods to avoid over-reporting of potential or threatened events that never pan out.”

Information Is Currency

Hospitals, nursing homes, and research centers are subject to the Health Insurance Portability and Accountability Act (Public Law 104–191), enforced by the Health and Human Services Department. It requires health-care organizations to keep patient data safe.

Under HIPPA, health-care providers must review records regularly to track access to electronic protected health information, detect security incidents, and periodically evaluate the effectiveness of security measures.

Health Insurer to Pay $5.1 Million Over 18-Month Security Breach

But even under the blanket regulatory framework, providers have been fined for failing to meet cybersecurity standards.

For many businesses, meeting the new requirements will involve shifting from viewing cybersecurity as a lower priority matter of information technology to a critical business issue, said Bhavesh Vadhani, who leads advisory firm CohnReznick’s global cybersecurity, privacy, and technology risk practice.

“It’s a mindset,” Vadhani said. “Why do I need protocols in place? Because we are dealing with information, and information is the new currency in today’s connected economy and global ecosystem.”

To contact the reporter on this story: Maria Curi at

To contact the editors responsible for this story: Anna Yukhananov at; Robin Meszoly at