ARTICLE
22 July 2024

Taylor Sample Outlines CISA's Proposed Cyber Reporting Rules

BB
Bass, Berry & Sims

Contributor

Bass, Berry & Sims logo
Bass, Berry & Sims is a national law firm with nearly 350 attorneys dedicated to delivering exceptional service to numerous publicly traded companies and Fortune 500 businesses in significant litigation and investigations, complex business transactions, and international regulatory matters. For more than 100 years, our people have served as true partners to clients, working seamlessly across substantive practice disciplines, industries and geographies to deliver highly-effective legal advice and innovative, business-focused solutions. For more information, visit www.bassberry.com.
Explore
Bass, Berry & Sims attorney Taylor Sample authored an article for Cybersecurity Insiders outlining the U.S. Cybersecurity & Infrastructure Security Agency's (CISA) proposed cyber reporting rules.
United States Technology
Photo of Taylor M. Sample
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

Bass, Berry & Sims attorney Taylor Sample authored an article for Cybersecurity Insiders outlining the U.S. Cybersecurity & Infrastructure Security Agency's (CISA) proposed cyber reporting rules.

The public comment period for the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) closed on June 3, 2024, leaving CISA a little over a year to make any modifications and publish the Final Rule. CIRCIA was developed with an aim at responding to the growing number of cyber threats and attacks on entities operating within critical infrastructure sectors.

Taylor identified which entities must report, what qualifies as a "substantial" cyber incident, when a company must report an incident, and what a company needs to include in its reports. The information provided to CISA would then only be used by federal agencies for cybersecurity purposes, such as identifying a threat or security vulnerability or responding to specific threats involving death, bodily harm or substantial economic harm.

Companies that fail to report a substantial cyber incident, do not comply with a request for information, or provide false information would be subject to civil action or the pursuit of penalties, suspension or debarment by the U.S. Department of Justice.

The Final Rule is expected to go into effect in early 2026, affecting a wide range of industries.

"Many companies in highly regulated industries will already have written information security programs that will need to be modified to account for this new 72-hour reporting requirement," explained Taylor. "For companies within a critical infrastructure sector that do not currently have written information security programs, including written incident response plans, devising such plans and running desktop simulations will be crucial in preparing for the implementation of the Final Rule."

The full article "What to Know About CISA's New Cyber Reporting Rules," was published by Cybersecurity Insiders on July 17 and is available online.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Taylor M. Sample
Taylor M. Sample
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More