Chris Odogwu writes:
The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) is a federal law mandating “covered entities” that deal with critical infrastructure to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA).
If you encounter a cyberattack, you might want to share your experience with your security team or anyone else who can help prevent a recurrence. Until recently, sharing such information with a government agency was optional. CIRCIA now mandates organizations and chief information security officers (CISO) to report cyber incidents to CISA for a more secure cyber environment.
Signed into law by President Joe Biden in 2022, CIRCIA stipulates that you must report all cyber incidents not more than 72 hours after you become privy to them. Should you pay a ransom to attackers, you must report it within 24 hours.
Read more at MakeUseOf.
If you’ve read Bitdefender’s 2023 survey results, you may recall that across all sectors, they found 75% of U.S. respondents reported having had a breach within the past 12 months. The shocker is that more than 70% reported being told to cover up a breach, while 55% said they had kept a breach confidential when they knew it should have been reported.
Will CIRCIA make any difference in disclosure, or will those who are mandated to report under the law still cover up? And what will be the consequences for failure to report?
You can read more about CIRCIA on CISA. Right now, compliance is voluntary and rulemaking requirements have to be followed before there is any Final Rule that can be implemented.