The Cybersecurity and Infrastructure Security Agency (CISA) issued a notice of public rulemaking on April 4 to implement the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA).

CIRCIA joins a litany of other state and federal reporting requirements that contribute to the Gordian knot of cyber incident reporting laws. Federal agencies are evaluating options to streamline incident reporting. But for now, a business may have multiple incident reporting obligations, which may be overlapping or seem duplicative. Nevertheless, businesses should understand their obligations and be ready to comply to avoid potential penalties.  

Cyber incident reporting is an important part of a comprehensive cybersecurity and incident response program. Incident reporting can also improve security because it helps government agencies distribute information to avoid additional victims. Businesses can set themselves up for success by proactively considering how they will fulfill their reporting requirements before a breach. Cyber insurers can also play an informal advisory role by helping policyholders navigate incident reporting laws and identify breach counsel to provide further assistance.

This article is a refresher on the questions businesses may want to consider in advance of a breach regarding their cyber incident reporting requirements.

But first, what is CIRCIA?

CIRCIA is an incident reporting law that requires certain covered critical infrastructure entities to report ransom payments within 24 hours, and certain cyber incidents within 72 hours of when they are reasonably deemed to have occurred. An entity is considered a covered entity subject to reporting requirements if it meets either size or sector criteria.

The CIRCIA draft rule contains details necessary to implement the new reporting requirement, to include which entities are required to report, what incidents must be reported and when, and what information must be included in reports. The draft rule is open for public comment for 60 days, at which point CISA will review those comments and may make revisions.

CIRCIA reporting remains voluntary until the rulemaking process is finalized, which could be as late as October 2025.

Cyber incident reporting is an important part of a comprehensive cybersecurity and incident response program. Incident reporting can also improve security because it helps government agencies distribute information to avoid additional victims.

What obligations or commitments do businesses have?

Businesses may have multiple reporting obligations, which could soon include CIRCIA. These may be affected by their business sector, geographic location, details of the incident, and whether the business is publicly traded, among other things. 

Businesses may be required to report to multiple agencies or to multiple jurisdictions at the state or federal level simultaneously. What qualifies as a reportable cyber security incident, what information needs to be reported, and on what timeline can vary if the business has more than one reporting requirement. 

Businesses should also consider commitments to share information that are not legally required, such as when that business has voluntarily committed to information sharing through an Information Sharing and Analysis Center.

Who is responsible for monitoring and maintaining the list of reporting obligations? 

Businesses should periodically review and assess their reporting obligations to make sure all key stakeholders understand the requirements. It’s important to maintain a current and authoritative list of reporting obligations.

Assigning clear responsibilities for keeping current on these obligations — such as, who in the business is responsible for monitoring and maintaining the list of reporting obligations — is key to ensuring the business is well-prepared.

Who is the primary point of contact responsible for reporting when obligations are triggered? 

Assigning responsibility well before an incident can empower teams during times of crisis and help avoid confusion later. The primary point of contact for reporting should be actively engaged in incident response planning and drilling well before an incident.

This responsible party should be empowered to answer:

• What are my reporting obligations? Consider that the business may have obligations to report at the state and federal level, which may soon include CIRCIA.

• When are those reporting obligations triggered? What kinds of incidents trigger reporting obligations? 

• Under what timeline must I report? Businesses with multiple reporting obligations may also be required to report under different timelines.

• To whom will the information be reported? Understanding to which agencies a business will report and through which mechanisms (web interface, et alia) can save time.

• What information should I report? When collecting this information, the responsible party should consider who is consuming the information provided and its purpose. For example, is the information requested to help identify trends in threat actor behavior? Or is the business disclosing information that may be material to an investor?

• What procedures are in place to make sure I have the necessary information?

• Do I know the right points of contact?

• Who in my organization will review the information before I submit it, and at what stage should I include them in the process? Businesses should ensure that reported information is complete, accurate, and does not contain extraneous sensitive information.

Assigning responsibility well before an incident can empower teams during times of crisis and help avoid confusion later.

Cyber incident reporting plans must be part of every comprehensive incident response plan

Even the most secure business may experience a breach. Planning to meet incident reporting requirements should be part of every incident response plan.

Businesses should consider the above questions to put themselves in the best position to meet reporting obligations.

This blog post is designed to provide general information on the topic presented and is not intended to construe or the rendering of legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. The views and opinions expressed as part of this blog post do not necessarily state or reflect those of Coalition. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product or process disclosed. The blog post may include links to other third-party websites. These links are provided as a convenience only. Coalition does not endorse, have control over nor assumes responsibility or liability for the content, privacy policy or practices of any such third-party websites.