U.S. releases draft federal rules for cyberattack reporting rules for critical infrastructure companies

The United States Cybersecurity and Infrastructure Security Agency has released draft of the rules explaining how critical infrastructure companies must report cyberattacks to the government. Companies owning and operating infrastructure will need to report significant cyberattacks within 72 hours and report ransom payments within 24 hours. The rules target any company owning or operating systems the U.S. government classifies as critical infrastructure, such as healthcare, energy, manufacturing and financial services. The rules will also apply to companies that don’t operate critical infrastructure, but whose systems may be vital to a particular sector, such as service providers.

The new rules are different than others in effect. For example, The SEC requires reporting no later than four business days after a company determines a cyberattack will have a material impact on its operations, and those reports are made public through regulatory filings. CISA’s window is narrower and the agency will treat reports confidentially and publish aggregated, anonymized statistics quarterly.

Jeffrey Newman is a whistleblower lawyer whose firm only represents whistleblowers in, among other things Securities Exchange Act, FINCEN and CFTC whistleblower cases, involving publicly traded companies or financial institutions Jeff@JeffNewmanLaw.com or at 617-823-3217