The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”) was signed into law on March 15, 2022 and requires covered entities to report “significant” cyber incidents within 72 hours and ransomware payments within 24 hours.
Cyber incident reporting is already done for the benefit of investors by many companies, but the SEC is looking to establish a more regular and predictable system to include a four-day reporting window.
Critical infrastructure companies may soon be subject to tighter cyber incident reporting requirements, as new cybersecurity legislation has passed the Senate and will now go before the House.
New cyber incident reporting bill that has been introduced to the Senate would create new ransomware payment reporting requirements if passed, including a strict 24-hour limit for any business with more than 50 employees.