Get the scoop on CIRCIA ransomware reporting now

May 31, 2024
1 min read

TLDR:

Key Points:

  • CIRCIA requires covered entities to report covered cyber incidents and ransomware payments to CISA.
  • CISA’s NPRM outlines four types of impacts that would result in an incident being classified as a substantial cyber incident.

Article Summary:

In March 2022, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) was signed into law by the Biden Administration. This legislation mandates covered entities to report covered cyber incidents and ransomware payments to CISA. The devil is in the details, and in early April, CISA published a 447-page Notice of Proposed Rulemaking (NPRM) open for public feedback. The NPRM proposes that ransomware attacks be classified as a substantial cyber incident and reportable based on four types of impacts.

Ransomware is defined by CISA as malware designed to encrypt files, with ransom demands for decryption. The NPRM requires reporting within 72 hours of a covered cyber incident and within 24 hours of a ransom payment. Good faith scenarios may exempt incident reporting, but intentional shutdowns due to ransomware incidents are still reportable. The ongoing conversation regarding ransomware reporting continues as entities with robust cyber resilience are also at risk.

Latest from Blog

EU push for unified incident report rules

TLDR: The Federation of European Risk Management Associations (FERMA) is urging the EU to harmonize cyber incident reporting requirements ahead of new legislation. Upcoming legislation such as the NIS2 Directive, DORA, and