Priya PatelTLDR:
- CISA released proposed rules on breach reporting requirements on March 27, 2024
- Covered entities would be required to report qualifying cyber incidents, ransom payments, and new information related to previous reports
On March 27, 2024, the U.S. Cybersecurity and Infrastructure Agency (“CISA”) released proposed rules on breach reporting requirements mandated by the Cyber Incident Reporting for Critical Infrastructure Act of 2022. Covered entities would need to report qualifying cyber incidents, ransom payments made in response to a ransomware attack, and any substantially new information discovered related to a previously submitted report to CISA. Qualifying cyber incidents are defined as events leading to substantial loss of information, serious impact on safety, disruption of business operations, or unauthorized access. Covered entities within critical infrastructure sectors or subject to sector-specific standards would be required to adhere to these rules. Failure to comply could lead to enforcement actions by CISA.
