New rules proposed for reporting critical infrastructure cyberattacks

March 29, 2024
1 min read


TLDR:

  • America’s cyberattack reporting rules for critical infrastructure operators are moving closer to implementation.
  • The proposed rule would require reporting of substantial cyber incidents within 72 hours and ransom payments within 24 hours.

America’s critical infrastructure cyberattack reporting rules are edging towards reality as the Feds have posted a notice of proposed rulemaking for the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). The rule would mandate organizations falling under critical infrastructure sectors to report substantial cyber incidents within 72 hours of discovery and ransom payments within 24 hours. The reports would not be publicly disclosed to encourage compliance and protect public service providers, but anonymized information would be shared with relevant industry sectors to enhance protection. The proposed rule is open for public comments for 60 days before becoming law, with detailed guidelines being developed by CISA to streamline reporting for critical organizations. Despite facing pushback due to added compliance strains, the rule is seen as a step in the right direction to enhance cybersecurity in critical infrastructure areas.


Latest from Blog

EU push for unified incident report rules

TLDR: The Federation of European Risk Management Associations (FERMA) is urging the EU to harmonize cyber incident reporting requirements ahead of new legislation. Upcoming legislation such as the NIS2 Directive, DORA, and