chevron-down Created with Sketch Beta.
April 12, 2024

Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Proposed Rule

On April 4, 2024, the U.S. Department of Homeland Security published a Proposed Rule in the Federal Register for the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). CIRCIA requires the Cybersecurity and Infrastructure Security Agency (CISA) to develop regulations for covered entities regarding cyber incident and ransom payment reporting requirements. 

The Proposed Rule includes sixteen critical infrastructure sectors that qualify as covered entities, including health-related sectors such as the Emergency Services Sector, the Healthcare and Public Health Sector, and the Information Technology Sector (all are subject to specific size and sector criteria outlined in the Proposed Rule). 

The Proposed Rule will require covered entities to report (1) substantial cyber incidents and (2) all ransom payments. The proposed definition for a substantial cyber incident is defined as an incident that creates any of the following outcomes: (1) A substantial loss of confidentiality, integrity, or availability of the covered entity’s network or information system; (2) a serious impact on safety and resiliency of the covered entity’s operational systems and processes; (3) a disruption of the covered entity’s ability to engage in business or industrial operations, or to deliver goods or services; (4) unauthorized access to the covered entity’s information system or network, or any nonpublic information contained within the information system or network, that is facilitated or caused by either a compromise of a cloud service provider, managed service provider, other third-party data hosting provider, or a supply chain compromise. 

There are four types of reports highlighted in the Proposed Rule: (1) A covered entity must submit a covered cyber incident report within 72 hours after an entity reasonably believes a covered incident occurred; (2) a ransom payment report must be submitted no later than 24 hours after the ransom payment was made; (3) a joint covered cyber incident and ransom payment report must be submitted if the covered entity makes a ransom payment within 72 hours of a covered cyber incident; and (4) a supplemental report must be submitted within 24 hours if the covered entity makes a payment related to a previously reported cyber incident.  

Comments on the Proposed Rule are open until June 3, 2024. 

The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.