BarbriSFCourseDetails
  1. keyboard_arrow_leftBack

Course Details

Course Information
  • smart_display Format

    On-Demand

  • signal_cellular_alt Difficulty Level

    Intermediate

  • work Practice Area

    Cybersecurity and Data Privacy

Date & Time
  • event Date

    Wednesday, August 21, 2024

  • schedule Time

    1:00 p.m. ET./10:00 a.m. PT

  • timer Program Length

    90 minutes

Credit Information

  • This 90-minute webinar is eligible in most states for 1.5 CLE credits.

$297.00
CLE
ALL

This CLE webinar will provide an overview of the proposed rule recently released by the U.S. Department of Homeland Security's Cybersecurity Infrastructure and Security Agency (CISA) requiring covered entities to report cyber incidents and ransom payments to CISA within prescribed time periods. The speaker will discuss the requirements of the proposed rule and provide guidance for advising clients on steps they should start taking now to prepare for this new cyber reporting framework.

Faculty

Harley L. Geiger
Counsel
Venable LLP

Mr. Geiger counsels organizations on a wide variety of cybersecurity law and policy matters. When advising clients on privacy and technology policy and regulations, he draws from his years of experience working in-house at a major cybersecurity company during the maturation of the industry. Mr. Geiger's substantive experience and industry connections position him as a sought-after speaker at events on technology policy and a noted commentator on technology policy and law. He regularly testifies before Congress and government agencies on technology laws and is actively involved in shaping related policies. Mr. Geiger founded and leads the Hacking Policy Council, a trade association that facilitates best practices for vulnerability management.

expand_circle_down Expand to View Full Bio expand_circle_up Collapse Bio

Description

On Mar. 15, 2022, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) was signed into law. On Apr. 4, 2024, CISA published a comprehensive proposed rule for implementing CIRCIA's requirements.

The proposed rule applies to a wide range of companies that fall into either of two categories: (1) entities operating in critical infrastructure sectors, except for small businesses as defined by the Small Business Administration; or (2) entities operating in critical infrastructure sectors that fulfill sector-based criteria, even if the entity is a small business. The critical infrastructure sectors generally include defense industries, communications, energy, food and agriculture, financial services, information technology, transportation, government facilities, and healthcare.

Under the proposed rule, covered entities must report "substantial" cyber incidents, which include events that result in a substantial loss of confidentiality, integrity, or availability of a covered entity's information system or network; have a serious impact on the safety and resilience of a covered entity's operational systems and processes; a disruption of a covered entity's ability to engage in business or industrial operations or deliver goods or services; and unauthorized access to a covered entity's information system, network, or nonpublic information.

Listen as Harley Geiger, an experienced cybersecurity law and policy attorney, summarizes the key aspects of the proposed new rule and provides guidance for advising clients on revising or developing security programs and cyber incident response strategies to meet the rule's requirements.

Outline

  1. Overview of CISA's new proposed rule
  2. Covered entities--broad definition of "critical infrastructure"
  3. Substantial cyber incidents
  4. Reporting requirements and how they harmonize with other cyber disclosure rules
  5. Exemptions from reporting
  6. Data retention and recordkeeping requirements
  7. Enforcement and penalties
  8. Timeline for implementation of the proposed rule
  9. Steps businesses should take now in preparation for this new regulatory framework
  10. Final thoughts and key considerations

Benefits

The speaker will discuss these and other relevant issues:

  • What is the background regarding the new proposed rule?
  • What companies are considered "covered entities" under the proposed new rule?
  • What types of cyber incidents must be reported and what are the prescribed timeframes for reporting?
  • What are the exemptions from reporting?
  • How will CISA enforce the proposed new rule and what are the penalties for failing to submit a required report?