Cybersecurity and Infrastructure Security Agency (“CISA”) Proposed Cyber Security Incident Reporting Requirements

Eckert Seamans | 09/03/2024

On April 4, 2024, CISA1, an agency under the Department of Homeland Security, released a proposed rule that requires certain covered entities operating in critical infrastructure sectors to report cyber incidents to CISA. CISA issued the rule under the authority provided to it by the Cyber Incident Reporting for Critical Infrastructure Act (“CIRCIA”)2. At this time, CISA has only released a proposed rule and the public comment process closed in July, 20243. The final rule requiring notification is expected to be published in 2025 and will go into effect in 2026.4 When the final rule goes into effect, it will require covered organizations to notify CISA if they experience a “covered cyber incident”5 or make a ransomware extortion payment.6 Under the proposed rule, a covered entity experiencing a covered cyber incident would have seventy-two (72) hours to report a covered cyber incident.7 Additionally, a covered entity would have twenty-four (24) hours to report a ransom payment.8

To read more, please log in

Related Content

This site is operated by NetDiligence®. Links found within this site may open a new browser window and take you outside the Sompo International's Cyber Risk Portal to another website, the contents of which are maintained by third parties over whom NetDiligence and Sompo International have no control. We provide links to these external sites for your convenience and awareness. We accept no responsibility for the content of linked sites. Upon request of the content source, we will remove links.
Privacy Policy | Terms of Use