ARTICLE
15 April 2024

CISA Releases Proposed Cyber Incident And Ransom Payment Reporting Rules To Implement CIRCIA

JD
Jones Day

Contributor

Jones Day is a global law firm with more than 2,500 lawyers across five continents. The Firm is distinguished by a singular tradition of client service; the mutual commitment to, and the seamless collaboration of, a true partnership; formidable legal talent across multiple disciplines and jurisdictions; and shared professional values that focus on client needs.
CISA's proposed rules will require organizations operating in U.S. critical infrastructure sectors to report cyber incidents within 72 hours and ransom payments within 24 hours.
United States Technology
To print this article, all you need is to be registered or login on Mondaq.com.

CISA's proposed rules will require organizations operating in U.S. critical infrastructure sectors to report cyber incidents within 72 hours and ransom payments within 24 hours.

On March 27, 2024, the Cybersecurity and Infrastructure Security Agency ("CISA") of the Department of Homeland Security ("DHS") announced its Notice of Proposed Rulemaking (the "Proposed Rule") to implement the Cyber Incident Reporting for Critical Infrastructure Act of 2022 ("CIRCIA"). The Proposed Rule will mandate critical infrastructure entities to report "substantial" cyber incidents and ransom payments. If adopted in its current form, the Proposed Rule would be one of the most sweeping federal cybersecurity incident-reporting regulations.

Covered Entities

The Proposed Rule would apply to an entity in one of 16 critical infrastructure sectors enumerated in Presidential Policy Directive 21 that either exceeds the small business size standard or meets a sector-based criterion. These sector-based criteria exist for 13 of the 16 critical infrastructure sectors and encompass defense contractors, financial services firms, certain manufacturing entities, information technology firms, communication services providers, transportation and utility entities, and others. CISA estimates more than 316,000 entities would be covered entities, including owners and operators of critical infrastructure and their supporting entities. Where it is not obvious that an entity operates in a critical infrastructure sector, CISA recommends reviewing public guidance to determine whether the Proposed Rule applies.

Covered Cyber Incidents

The Proposed Rule defines "Covered Cyber Incidents" as "substantial" cyber incidents that result in: (i) substantial loss of confidentiality, integrity, or availability of an information system or network; (ii) serious impact on the safety and resiliency of operational systems and processes; (iii) disruption of the ability to engage in business or industrial operations, or deliver goods or services; or (iv) unauthorized access to information systems or networks, or any nonpublic information contained therein, facilitated through or caused by compromise of a cloud service provider, managed service provider, or other third-party data hosting provider, or supply chain compromise. A cybersecurity incident is "substantial" if it meets the criteria in items (i) through (iii) above, regardless of its cause. The Proposed Rule does not differentiate Covered Cyber Incidents based on the type of system or data affected, and applies without regard to where the system is geographically located.

Under the Proposed Rule,CISA would have robust enforcement authority, including issuing requests for information and subpoenas, and referring noncompliance to DHS and the Attorney General for administrative, criminal, or civil enforcement.

Entities in critical infrastructure sectors should carefully review the Proposed Rule to determine their applicability and ensure alignment with its incident-reporting requirements.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

ARTICLE
15 April 2024

CISA Releases Proposed Cyber Incident And Ransom Payment Reporting Rules To Implement CIRCIA

United States Technology

Contributor

Jones Day is a global law firm with more than 2,500 lawyers across five continents. The Firm is distinguished by a singular tradition of client service; the mutual commitment to, and the seamless collaboration of, a true partnership; formidable legal talent across multiple disciplines and jurisdictions; and shared professional values that focus on client needs.
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More