Requirements for reporting cybersecurity incidents to some regulatory or government authority are not new, but there has always been a large amount of inconsistency, globally, in exactly what the requirements are. More recently, there’s been a growing trend across government and regulatory bodies in the United States towards shorter timeframes for reporting of cybersecurity incidents. Here’s a brief rundown of the recent activity.

At the end of last year, the US Congress passed the National Defense Authorization Act (NDAA). The final version of the NDAA included a cybersecurity incident notification rule that applies only to critical infrastructure entities. It leaves the final threshold for notification to be determined by the Director of the Cybersecurity Incident Review Office, but states that “in no case may the Director require reporting by a covered entity earlier than 72 hours after confirmation that a covered cybersecurity incident has occurred.” This part of the legislation went through several revisions, however. The House version included a 72 hour notification that applied more broadly, and also a 24 hour notification requirement for ransomware payments. In mid-March, both the House and Senate passed a separate bill, the “Cyber Incident Reporting for Critical Infrastructure Act,” included in the “Consolidated Appropriations Act,” that clearly specifies a 72 hour reporting requirement for critical infrastructure entities.     

Also at the end of last year, the FDIC waded into the incident notification pool with a 36 hour requirement. The final rule was issued by The Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (Board), and the Office of the Comptroller of the Currency (OCC). Affected organizations must be compliant by May 1, 2022. The National Law Review points out that “[t]his timeline is shorter than any U.S. state data breach notification law (Read more...)