Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)

Subscribe to Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) via RSS
day6

This holiday season—following a year of headline breaches, surging supply-chain attacks, and major regulatory changes—cyber resilience tops every corporate wish list.

The Cybersecurity and Infrastructure Security Agency (“CISA”) remains at the forefront of U.S. cybersecurity amid a turbulent year of leadership change and policy realignment. With the long‑awaited Cyber Incident Reporting for Critical Infrastructure Act (“CIRCIA”) rules slated for May 2026 and a continuing focus on international cyber strategies, the agency is poised to shape the future of critical infrastructure security. CIRCIA will introduce mandatory cyber incident and ransomware payment reporting for covered critical infrastructure, driving faster federal response and shaping compliance programs, contractual obligations, and risk governance across sectors. At the same time, CISA’s 2025–2026 International Strategic Plan outlines the federal government’s purported approach to cross‑border cyber defense—prioritizing partnerships, information sharing, and supply‑chain risk mitigation—with direct implications for transnational firms. Yet CISA faces major challenges, including leadership gaps, workforce constraints, and increased political scrutiny, that may threaten its ability to fulfill its mission in the year ahead.Continue Reading On the Sixth Day of Data… CISA, CIRCIA, and the Future of Critical Infrastructure Security

security-5199236_1280

On March 7, 2025, the Department of Homeland Security (“DHS,” “the agency”) disbanded the Critical Infrastructure Partnership Advisory Council (“CIPAC,” “the Council”), originally established in 2006 to facilitate communication between the public and private sectors on critical infrastructure issues. CIPAC’s termination comes against the backdrop of the 2015 Cybersecurity Information Sharing Act’s (“CISA 2015,” “the Act”) upcoming expiration on September 30, 2025. CIPAC and CISA 2015 have jointly provided a valuable legal and operational framework for sharing information between the public and private sector in the U.S. for the past decade. Financial services industry stakeholders and members of Congress have expressed concern in recent months over increased cyber threats to industry stakeholders should the current public-private information sharing framework deteriorate. These recent developments are poised to significantly impact the financial services industry’s cybersecurity landscape – absent steps by Congress and the Administration to provide continuity for the current framework. Continue Reading CIPAC Disbandment and CISA 2015 Reauthorization: Recent Developments in the U.S. Cybersecurity Landscape

Throughout 2024, financial sector regulators sharpened their focus on data protection and cybersecurity issues impacting financial institutions and the public. Key federal agencies like the Securities and Exchange Commission (“SEC”), the Federal Trade Commission (“FTC”), and the Consumer Financial Protection Bureau (“CFPB”) have been joined by state regulators, such as the New York Department of Financial Services (“NYDFS”), in proposing and finalizing significant rulemaking, pursuing novel enforcement actions, and issuing influential guidance. 2025 promises to be a continuation of this considerable trend.  Continue Reading Dashing Through Cybersecurity Regulations in the Financial Services Sector in 2024