The Cybersecurity and Infrastructure Security Agency (CISA) has issued its Notice of Proposed Rulemaking (NPRM) to establish the first cross-sectoral federal cybersecurity incident and ransomware payment reporting system.

As noted in an alert in March 2022, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) into law just over two years ago, requiring “covered entities”—organizations in certain critical infrastructure sectors—to report substantial cybersecurity incidents to the Department of Homeland Security within 72 hours after the organization reasonably believes the cyber-incident has occurred. Covered entities will also be required to report ransom payments within 24 hours of making a payment in response to a ransomware attack. The NPRM was formally published in the Federal Register on April 4 and the public has until June 3 to submit written comments. CISA is required to publish a final rule by October 2025.

Click here to read the Ropes & Gray client alert which summarizes critical aspects of the NPRM and crucial next steps for businesses to ensure they comply with the proposed rule.