Bass, Berry & Sims attorney Taylor Sample authored an article for Cybersecurity Insiders outlining the U.S. Cybersecurity & Infrastructure Security Agency’s (CISA) proposed cyber reporting rules.
The public comment period for the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) closed on June 3, 2024, leaving CISA a little over a year to make any modifications and publish the Final Rule. CIRCIA was developed with an aim at responding to the growing number of cyber threats and attacks on entities operating within critical infrastructure sectors.
Taylor identified which entities must report, what qualifies as a “substantial” cyber incident, when a company must report an incident, and what a company needs to include in its reports. The information provided to CISA would then only be used by federal agencies for cybersecurity purposes, such as identifying a threat or security vulnerability or responding to specific threats involving death, bodily harm or substantial economic harm.
Companies that fail to report a substantial cyber incident, do not comply with a request for information, or provide false information would be subject to civil action or the pursuit of penalties, suspension or debarment by the U.S. Department of Justice.
The Final Rule is expected to go into effect in early 2026, affecting a wide range of industries.
“Many companies in highly regulated industries will already have written information security programs that will need to be modified to account for this new 72-hour reporting requirement,” explained Taylor. “For companies within a critical infrastructure sector that do not currently have written information security programs, including written incident response plans, devising such plans and running desktop simulations will be crucial in preparing for the implementation of the Final Rule.”
The full article “What to Know About CISA’s New Cyber Reporting Rules,” was published by Cybersecurity Insiders on July 17 and is available online.