158 views 10 secs 0 comments

Update on Cyber Incident Reporting for Critical Infrastructure Act of 2022

Constangy, Brooks, Smith & Prophete, LLP writes:

As we near the end of another year, it is time to look ahead to developments in the information security and privacy landscape. One area of particular importance is the development of regulations implementing the Cyber Incident Reporting for Critical Infrastructure Act of 2022.

CIRCIA, which was signed into law in March 2022 as Division Y of the Consolidated Appropriations Act, 2022, will require, among other things, “covered entities” to report “covered cyber incidents” to the Cybersecurity and Infrastructure Security Agency “not later than 72 hours after the covered entity reasonably believes that the covered cyber incident has occurred.” CIRCIA will also require covered entities to report to CISA ransom payments “not later than 24 hours after the ransom payment has been made.” As explained below, the reporting requirements are not yet in effect.

Read more at JDSupra.