Keep up with today’s trending topics: VISIT THE INSIGHT CENTER

Cyber Legislation: 72 Hour Notice Will Be Required Following Cyber Incidents

All, Cyber, Property & Casualty

On March 15th, 2022, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) into law, which requires covered entities to report a covered cybersecurity incident within 72 hours to the Cybersecurity and Infrastructure Security Agency (CISA) if they reasonably believe such incident occurred. The definition of a “covered entity” has not yet fully been defined, but is defined by the Act as businesses that are (1) in a critical infrastructure sector as defined by CISA, and (2) satisfy the definition and criteria established by the CISA director.

The effective date for CIRCIA has not yet been determined, however the Act requires the Director of CISA to provide additional guidance within 24 months after the notice of proposed rule making and a final rule is expected within 18 months thereafter.

What is the purpose of this legislation?

According to a statement released by CISA Director Jen Easterly, the new Act will allow CISA to “have the data and visibility we need to help better protect critical infrastructure and businesses across the country from the devastating effects of cyber-attacks.”

The Act will, “allow [CISA] to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims.”

What should covered entities do?

Since CIRCIA has not yet gone into effect, covered entities should be mindful of evolving rules and guidance. M3 will remain a key resource for clients in determining how your organization may be affected by the Act and any subsequent guidance, and will assist you in preparing to report once the Final Rule has been published.

Key Takeaways

Organizations should remain aware of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), which requires covered entities to report a covered cybersecurity incident within 72 hours to CISA. M3 will continue to monitor the progress of the Act, and provide key updates and best practices for our clients as the situation evolves.

Back to Insight Center