Easterly: CISA wrapping up cyber incident reporting rule

The head of the Cybersecurity and Infrastructure Security Agency said Wednesday that the organization is “finishing” the long-awaited cyber incident reporting requirement for critical infrastructure companies.

“That should be out later this year or early next year,” CISA Director Jen Easterly said during the Billington Cybersecurity Summit in Washington, D.C. Recorded Future, the parent company of The Record, is a sponsor for the event.

Congress tasked CISA with implementing the reporting mandate in the fiscal 2022 spending bill.

The agency was given two years to publish an interim rule laying out critical infrastructure companies’ obligations to report hacks and an additional 18 months to publish a final rule.

However, Easterly and other CISA officials have long said that they intended to move much faster than that timetable due to concerns about future hacks.

The upcoming rule comes after the Securities and Exchange Commission (SEC) in July adopted rules to require public companies to disclose breaches within four days.

Last week a group of House Republicans sent a letter to SEC Chair Gary Gensler criticizing the move, warning it replicates the requirements of the 2022 appropriations bill.

The lawmakers urged the commission to work with the Homeland Security Department’s Cyber Incident Reporting Council to determine how its rule interacts and with other federal digital incident reporting requirements and asked it to conduct a “complete internal analysis of how this rule will interact with the SEC’s other cybersecurity disclosure proposals.”