A recent notice regarding the Cybersecurity Incident Reporting for Critical Infrastructure Act (CIRCIA) has clarified which entities are required to report substantial cyber incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA) and the specific information they are required to report. Additionally, the notice outlines legal consequences for individuals, including criminal consequences for corporate employees who interfere with the ability of CISA to obtain accurate and fulsome information.
While the consequences of not complying with CIRCIA’s requirements can be very harsh, the threat of fines, incarceration, or sanctions can be mitigated through a careful approach to CIRCIA compliance. Entities and individuals responsible for cyber-incident reporting should proactively prepare for compliance soon, before reporting requirements take effect.