USA Law and Practice Contributed by: Beth George, Timothy Howard, Brock Dahl and Megan Kayo, Freshfields
• Water and waste water systems sector – the EPA mandates water utilities to incorporate cybersecurity into risk assessments and develop emergency response plans under the AWIA. • Nuclear sector – NRC licensees must imple - ment extensive cybersecurity safeguards, including access controls, network moni - toring, supply chain risk management, and incident response protocols to prevent cyberthreats from compromising reactor operations or sensitive nuclear materials. • Transportation sectors – TSA’s cybersecurity directives require critical infrastructure own - ers to implement vulnerability assessments, mitigation measures, and cybersecurity plans. Other particular requirements apply to the rail and aviation sectors. • Healthcare sector – see 6.3 Cybersecurity in the Healthcare Sector . • Financial services sector – see 3. Financial Sector Operational Resilience Regulation (in particular, 3.1 Scope of Financial Sector Operational Resilience Regulation) . • DIB – the CMMC framework establishes tiered cybersecurity requirements for defence contractors handling controlled unclassified information (CUI), with higher levels requir - ing measures such as encryption, multifactor authentication, and third-party cybersecurity assessments. 2.3 Incident Response and Notification Obligations In the USA, incident response and notification obligations for critical infrastructure owners and operators are primarily governed by sector-spe - cific regulations. CIRCIA will apply in addition to, not in replacement of, these sector-specific obligations. Once the CIRCIA regulations are finalised, they will require:
• cyber-incident reporting – covered entities must report covered cyber-incidents to CISA within 72 hours of determining that a covered incident has occurred; and • ransomware payment reporting – entities must notify CISA within 24 hours of making a ransomware payment. These requirements aim to enable CISA to better co-ordinate incident response efforts and facili - tate information sharing between government and private-sector stakeholders. Despite the comprehensive framework, several uncertain - ties remain, as follows. • Covered entities – CISA’s forthcoming regu - lations will determine which organisations within each sector are subject to CIRCIA obligations. Small or ancillary entities may face ambiguity about whether they fall within the scope. • Incident thresholds – CIRCIA has not finalised what constitutes a “covered cyber-incident”. Without CISA’s finalised guidance, entities lack clarity on reporting triggers. • Overlapping regulations – entities operat - ing in multiple sectors may face overlapping obligations under federal and sector-specific frameworks (eg, HIPAA versus CIRCIA). • Liability protections – while CIRCIA provides limited liability protections for reporting enti - ties, questions remain about their interaction with confidentiality obligations under other frameworks, such as HIPAA or NRC regula - tions. • International implications – organisations operating internationally may need to recon - cile compliance with US frameworks such as CIRCIA and foreign standards, including the EU’s Network and Information Security Direc - tive 2 (“NIS2”).
349 CHAMBERS.COM
Powered by FlippingBook