Client Alert: The Cyber Incident Reporting for Critical Infrastructure Act of 2022

On March 15, 2022, President Biden signed into law the “Cyber Incident Reporting for Critical Infrastructure Act of 2022” (the Act) as part of the 2022 federal funding bill.
 
Among other things, the Act requires critical infrastructure sector entities to report cybersecurity breach incidents and ransomware payments to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
 
Key Takeaways
  • The Act covers entities “in a critical infrastructure sector” as further defined by CISA’s final rule.
  • Covered entities must report covered cyber incidents to CISA within 72 hours after reasonably believing a covered incident has occurred.
  • Covered entities must report ransomware payments within 24 hours of making a payment.
  • The Act specifies enforcement authority for CISA and information protection provisions.

Read the full alert here.

Related Capabilities

Related Locations

© 2026 Jenner & Block LLP. Attorney Advertising. Jenner & Block LLP is an Illinois Limited Liability Partnership including professional corporations. This publication, presentation, or event is not intended to provide legal advice but to provide information on legal matters and/or firm news of interest to our clients and colleagues. Readers or attendees should seek specific legal advice before taking any action with respect to matters mentioned in this publication or at this event. The attorney responsible for this communication is Brent E. Kidwell, Jenner & Block LLP, 353 N. Clark Street, Chicago, IL 60654-3456. Prior results do not guarantee a similar outcome. Jenner & Block London LLP, an affiliate of Jenner & Block LLP, is a limited liability partnership established under the laws of the State of Delaware, USA and is authorised and regulated by the Solicitors Regulation Authority with SRA number 615729. Information regarding the data we collect and the rights you have over your data can be found in our Privacy Notice. For further inquiries, please contact dataprotection@jenner.com.

Client Alert: The Cyber Incident Reporting for Critical Infrastructure Act of 2022
On March 15, 2022, President Biden signed into law the “Cyber Incident Reporting for Critical Infrastructure Act of 2022” (the Act) as part of the 2022 federal funding bill.
 
Among other things, the Act requires critical infrastructure sector entities to report cybersecurity breach incidents and ransomware payments to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
 
Key Takeaways
  • The Act covers entities “in a critical infrastructure sector” as further defined by CISA’s final rule.
  • Covered entities must report covered cyber incidents to CISA within 72 hours after reasonably believing a covered incident has occurred.
  • Covered entities must report ransomware payments within 24 hours of making a payment.
  • The Act specifies enforcement authority for CISA and information protection provisions.

Read the full alert here.

Related Capabilities

Related Locations

© 2026 Jenner & Block LLP. Attorney Advertising. Jenner & Block LLP is an Illinois Limited Liability Partnership including professional corporations. This publication, presentation, or event is not intended to provide legal advice but to provide information on legal matters and/or firm news of interest to our clients and colleagues. Readers or attendees should seek specific legal advice before taking any action with respect to matters mentioned in this publication or at this event. The attorney responsible for this communication is Brent E. Kidwell, Jenner & Block LLP, 353 N. Clark Street, Chicago, IL 60654-3456. Prior results do not guarantee a similar outcome. Jenner & Block London LLP, an affiliate of Jenner & Block LLP, is a limited liability partnership established under the laws of the State of Delaware, USA and is authorised and regulated by the Solicitors Regulation Authority with SRA number 615729. Information regarding the data we collect and the rights you have over your data can be found in our Privacy Notice. For further inquiries, please contact dataprotection@jenner.com.

News and Insights

Publications

In New York Law Journal, The True Lender Doctrine and the OppFi Decision

Partners Jeremy Creelan, Michael Ross, Megan Poetzel, and Laurel Loomis Rimon, and Associate Molly Oberstein-Allen authored an article for the New York Law Journal examining the "True Lender" doctrine in light of a May 2026 California decision that provides the most detailed judicial framework to date for evaluating bank-nonbank lending partnerships.

July 1, 2026

Event

Partner Michael Vernick to Speak at NACUA's 2026 Annual Conference

On July 1, Partner Michael Vernick will speak on a panel at the National Association of College and University Attorneys (NACUA) 2026 Annual Conference in Nashville.

July 1, 2026

Publications

In Employee Relations Law Journal: What Happens When ERISA Disability Deadlines Slip

Partner Joseph Torres along with Associates Emma O'Connor and Christopher LeWarne, authored an article for the Employee Relations Law Journal analyzing a significant Fourth Circuit decision with substantial consequences for ERISA disability plan administrators.

June 23, 2026

Publications

In Law360, Partner Samuel Feder Analyzes the Supreme Court's Ruling in FCC v. AT&T

Partner Sam Feder authored an article in Law360 examining the Supreme Court's June 4 decision in Federal Communications Commission v. AT&T Inc., which rejected AT&T's and Verizon's argument that the FCC's forfeiture process violates the Seventh Amendment right to a jury trial.

June 16, 2026