March 28, 2024 at 09:38AM
New cyber incident reporting rules for critical infrastructure closer to implementation after President Biden signed CIRCIA into law in March 2022. Organizations must report substantial cyber incidents within 72 hours, including ransom payments within 24 hours. The rule faces pushback from industry due to added compliance strain on resources, according to operational technology security strategist Chris Warner.
The meeting notes detail the proposed Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), which requires critical infrastructure organizations to report substantial cyber incidents within specific timeframes. The rule aims to facilitate rapid deployment of resources to attack victims, analyze and share information to aid in cybersecurity defense, and protect against subsequent issues. There are exceptions for small businesses falling under specific standards. The proposal will be published on April 4, with a 60-day comment period before becoming law. However, industry may push back due to concerns about additional compliance burdens and strained resources. There’s a call for harmonizing sector mandates and building up security programs before imposing further reporting requirements.