SEC cyber incident reporting necessities: In 2023, the US Securities and Trade Fee (SEC) adopted guidelines requiring registrants to reveal materials cybersecurity incidents they expertise inside 4 days of figuring out their materiality and to reveal materials data relating to their cybersecurity threat administration, technique, and governance yearly. Nevertheless, because the Heart for Cybersecurity Legislation and Coverage has famous, the Securities and Securities Trade Acts upon which the SEC relied for its guidelines don’t instantly reference cybersecurity.
FCC data breach reporting guidelines: In 2023, the US Federal Communications Fee (FCC) up to date and strengthened its data breach notification guidelines for communications suppliers to guard in opposition to improper use or disclosure of buyer knowledge. In issuing its new laws, the FCC considerably expanded upon its enforcement authority beneath the Communications Act, which handled protections for a really slender class of buyer knowledge referred to as buyer proprietary community data (CPNI) and never the a lot broader vary of buyer knowledge mirrored within the Fee’s guidelines.
CISA cyber incident reporting necessities: In April 2024, the US Cybersecurity and Infrastructure Safety Company (CISA) proposed a rule to implement the cyber incident reporting necessities beneath the Cyber Incident Reporting for Essential Infrastructure Act of 2022 (CIRCIA). The rule shouldn’t be slated to be finalized till 2025. Nevertheless, in growing its rulemaking, CISA needed to interpret CIRCIA broadly.
