Description
On Mar. 15, 2022, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) was signed into law. On Apr. 4, 2024, CISA published a comprehensive proposed rule for implementing CIRCIA's requirements.
The proposed rule applies to a wide range of companies that fall into either of two categories: (1) entities operating in critical infrastructure sectors, except for small businesses as defined by the Small Business Administration; or (2) entities operating in critical infrastructure sectors that fulfill sector-based criteria, even if the entity is a small business. The critical infrastructure sectors generally include defense industries, communications, energy, food and agriculture, financial services, information technology, transportation, government facilities, and healthcare.
Under the proposed rule, covered entities must report "substantial" cyber incidents, which include events that result in a substantial loss of confidentiality, integrity, or availability of a covered entity's information system or network; have a serious impact on the safety and resilience of a covered entity's operational systems and processes; a disruption of a covered entity's ability to engage in business or industrial operations or deliver goods or services; and unauthorized access to a covered entity's information system, network, or nonpublic information.
Listen as Harley Geiger, an experienced cybersecurity law and policy attorney, summarizes the key aspects of the proposed new rule and provides guidance for advising clients on revising or developing security programs and cyber incident response strategies to meet the rule's requirements.
Presented By
Mr. Geiger counsels organizations on a wide variety of cybersecurity law and policy matters. When advising clients on privacy and technology policy and regulations, he draws from his years of experience working in-house at a major cybersecurity company during the maturation of the industry. Mr. Geiger's substantive experience and industry connections position him as a sought-after speaker at events on technology policy and a noted commentator on technology policy and law. He regularly testifies before Congress and government agencies on technology laws and is actively involved in shaping related policies. Mr. Geiger founded and leads the Hacking Policy Council, a trade association that facilitates best practices for vulnerability management.
-
This 90-minute webinar is eligible in most states for 1.5 CLE credits.
-
Date + Time
- event
Wednesday, August 21, 2024
- schedule
1:00 p.m. ET./10:00 a.m. PT
- Overview of CISA's new proposed rule
- Covered entities--broad definition of "critical infrastructure"
- Substantial cyber incidents
- Reporting requirements and how they harmonize with other cyber disclosure rules
- Exemptions from reporting
- Data retention and recordkeeping requirements
- Enforcement and penalties
- Timeline for implementation of the proposed rule
- Steps businesses should take now in preparation for this new regulatory framework
- Final thoughts and key considerations
The speaker will discuss these and other relevant issues:
- What is the background regarding the new proposed rule?
- What companies are considered "covered entities" under the proposed new rule?
- What types of cyber incidents must be reported and what are the prescribed timeframes for reporting?
- What are the exemptions from reporting?
- How will CISA enforce the proposed new rule and what are the penalties for failing to submit a required report?
