CISA Publishes a List of Key Elements to Share in Incident Reports
Amidst severe warnings by the United States government of heightened cyber risks (especially for critical infrastructure), and on the heels of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) being signed into law in March 2022, the Cybersecurity and Infrastructure Security Administration (CISA) published a Cyber Event Information Sharing Fact Sheet, which provides stakeholders with guidance about what to share, who should share, and how to share information about unusual cyber incidents or activity. (more…)
White House Urgent Warning: Act Now to Protect Against Potential Russian Cyberattacks
On March 21, 2022, the White House issued a dramatic warning based on “evolving intelligence” about the potential for Russia to threaten America with cyber attacks in response to U.S.-imposed economic sanctions. In a separate statement, President Biden said that “the Russian Government is exploring options for potential cyberattacks.” He urged the private sector, especially those that operate critical infrastructure, to “harden your cyber defenses immediately by implementing the best practices we have developed together over the last year.” According to Anne Neuberger, the Deputy National Security Advisor for Cyber and Emerging Technology, Russia has been conducting “preparatory activities”, which she said could include scanning of websites and hunting for software vulnerabilities.
In addition to CISA’s Shields-Up campaign, which we covered in a previous blog post, the White House’s March 21 Fact Sheet stresses the urgency of key cyber hygiene steps including recommendations to: (more…)
Congress Passes Cyber Incident Reporting for Critical Infrastructure Act of 2022
The U.S. Congress has passed a significant new cybersecurity law that will require critical infrastructure entities to report material cybersecurity incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 and 24 hours, respectively. The reporting requirements will cover multiple sectors of the economy, including chemical industry entities, commercial facilities, communications sector entities, critical manufacturing, dams, financial services entities, food and agriculture sector entities, healthcare entities, information technology, energy, and transportation. CISA must promulgate a proposed implementing regulation within 24 months from final enactment date of March 15, 2022, and a final regulation no later than 18 months thereafter. The effective date of the act’s reporting requirements will be set by the final rule. (more…)
Newly Proposed SEC Cybersecurity Risk Management and Governance Rules and Amendments for Public Companies
On March 9, 2022, the U.S. Securities and Exchange Commission (SEC) proposed new cybersecurity rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. The text of the proposed rules is available here. The SEC proposal would continue to ratchet up cybersecurity as an increasingly critical dimension of corporate governance.
Key takeaways from the SEC’s release include the following: (more…)
