Proposed Cyber Requirements Would Affect Thousands More Companies

May 30, 2024

Proposed Cyber Requirements Would Affect Thousands More Companies

A proposed rule from the Cybersecurity and Infrastructure Security Agency (CISA) introduces new cyber requirements for companies. Under this rule, businesses must report cyber breach incidents within 72 hours of discovery or within 24 hours after making a ransomware payment. CISA, part of the US Department of Homeland Security, is pushing these proposed cyber requirements under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). This represents a significant shift in the U.S. cyber regulatory environment.

According to an article on the CSO website, the impact of these requirements is notable not because of the reporting timetable, but due to their broad scope. The rule expands the definition of “critical infrastructure” far beyond the traditional list of ports, dams, and power plants.

Sign up for our weekly newsletters specifically curated to different practice areas: litigation, cybersecurity & data privacy, legal ops, and compliance.

“In fact,” writes Anand Oswal, senior VP and General Manager of Network Security at Palo Alto Networks, “CISA’s proposed rule actually includes any entity that is not a ‘small business’ operating within 16 different sectors, encompassing a range of industries across the entire economy – from communications to healthcare, food and agriculture, and beyond.” 

According to projections from CISA, more than 316,000 organizations will fall under the newly proposed cyber requirements. The burden, however, may be mitigated somewhat by the stipulation that to be reportable the cyber incident must be “substantial,” and it must fall under certain designated scenarios. 

Oswal calls the proposed reporting requirements part of an emerging and far more stringent regulatory landscape. This development, he says, underscores the need for advanced and integrated security platforms, bolstered by AI, and built into the business by design instead of being patched in as an afterthought. 

Critical intelligence for general counsel

Stay on top of the latest news, solutions and best practices by reading Daily Updates from Today's General Counsel.

Daily Updates

Sign up for our free daily newsletter for the latest news and business legal developments.

Scroll to Top