The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is putting forth new regulations that would require victims of malicious hacks to report the breaches. These regulations, which would be among the agency’s first, could mandate the disclosure of cyberattacks, particularly those involving ransomware and other network compromises.
Under the proposed regulations, companies in 16 crucial infrastructure sectors—including healthcare, energy, and finance—would have to report security incidents within a three-day window and ransomware payments in 24 hours. At the forefront of this effort is CISA, the top U.S. cyber authority, asserting these measures as part of a broader push to fortify defenses against cyber criminals and escalating cyberattacks. In recent times, both private hacking entities and governments have been involved in aggressive cyber campaign, nation-backed hacking operations have shown a sharp incline.
This proposed rule is the latest effort by the U.S. to bolster its defenses against increasingly potent and disruptive cyber threats, including attacks on critical infrastructure, ransomware assaults and nation-backed hacking. A notable shift is the focus on ransomware payments, which have become a contentious topic, given the leverage it offers to hackers.
Subject to approval, this rule would come into effect from March 2024. This development emphasizes the escalating challenge that cybersecurity threats pose and the growing urgency in the regulatory and corporate sectors to address them. For in-house counsel and other legal professionals, these developments underscore the need to stay updated on the evolving regulatory landscape, advise on potential risk and implications, and execute incident response plans promptly and effectively.
This article is derived from a report published on Bloomberg Law.