Financial businesses and other critical infrastructure entities would have to report significant cybersecurity and ransomware incidents to the federal government under a new rule that will be proposed by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).

CISA is offering organizations a preview of the proposal before it is officially released next Thursday as a notice of proposed rulemaking. CISA, which is responsible for understanding, managing, and reducing risks to critical infrastructure from digital and physical attacks, will seek public comments on the draft rule, according to a press release Wednesday.

Public comment will be open for 60 days following publication in the Federal Register.

The rule would require covered entities to report to CISA cyber incidents within 72 hours and ransom payments within 24 hours after the payment was made.

The number and severity of cyberattacks on public and private entities is increasing and poses a serious threat to national and economic security, CISA said. The agency is most concerned with protecting the nation’s critical infrastructure, including the financial industry, energy facilities, hospitals, water, communications, defense, manufacturing, information technology, and more.

CISA will use the information companies report to identify patterns of attacks in real time, which will allow the agency and other regulators to alert vulnerable entities and assist those that get hit.

“This information is also critical to identifying trends that can help efforts to protect the homeland,” CISA stated in the release, referring to requirements under the proposed rule called for in the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The proposed rule was drafted with input from the critical infrastructure community through a request for information and listening sessions, the agency said.

“CIRCIA is a game changer for the whole cybersecurity community, including everyone invested in protecting our nation’s critical infrastructure,” said Jen Easterly, CISA director, in the release. “It will allow us to better understand the threats we face, spot adversary campaigns earlier, and take more coordinated action with our public- and private-sector partners in response to cyber threats.”

Adrianne Appel writes regulatory news, policy, and trends for Compliance Week. She previously reported about policy developments for Bloomberg Law and Bloomberg Government.View full Profile

More from Adrianne Appel

Topics