The head of the Cybersecurity and Infrastructure Security Agency (CISA), Jen Easterly, announced during the Billington Cybersecurity Summit in Washington, D.C., that CISA is in the final stages of completing the much-anticipated cyber incident reporting requirement for critical infrastructure companies. This rule, mandated by Congress in the fiscal 2022 spending bill, is expected to be released later this year or early next year.
Although CISA was initially given a two-year timeframe for publishing an interim rule and an additional 18 months for a final rule, Easterly and other CISA officials have expressed their intent to expedite the process due to concerns about future cyberattacks.
Furthermore, the impending rule follows the Securities and Exchange Commission’s (SEC) adoption of rules in July, which require public companies to disclose breaches within four days.
This development has sparked criticism from a group of House Republicans who argue that it duplicates the requirements of the 2022 appropriations bill. They have called upon the SEC to collaborate with the Homeland Security Department’s Cyber Incident Reporting Council to assess how the rule interacts with other federal digital incident reporting requirements and to conduct a comprehensive internal analysis of its compatibility with the SEC’s other cybersecurity disclosure proposals.
These developments reflect the growing importance of swift and comprehensive reporting of cyber incidents in the evolving landscape of cybersecurity regulations and requirements.