Cyber “Incidents” and Ransom Payments–Federal Proposed Rule

By: Christine V. Williams on 04/02/2024


The U.S. Cybersecurity and Infrastructure Agency (“CISA”) has released a notice of proposed rulemaking (“NPRM”) for reporting cyber “incidents” and ransom payments. The proposed rule will be out on April 4, 2024, Comments are due 60 days after the rule is published (on April 4, 2024). Notably, this rule has a lot of good definitions and applications of those definitions and may be used as a guide for familiarity. It also has a nice table of contents and internal references.

Practice Pointer: The NPRM will always be longer in page length than the proposed rule and will also be double spaced. In doing so, this allows a reader to take notes and check off more pertinent sections to that reader. 

This is a substantial rule in that it is implementing a 2022 law and the agency/CISA is soliciting comments on the applicability and feasibility of certain aspects of the rule.


The Cyber Incident Reporting for Critical Infrastructure Act of 2022
(CIRCIA), as amended, requires the Cybersecurity and Infrastructure Security Agency
(CISA) to promulgate regulations implementing the statute’s covered cyber incident and
ransom payment reporting requirements for covered entities. CISA seeks comment on the
proposed rule to implement CIRCIA’s requirements and on several practical and policy
issues related to the implementation of these new reporting requirements.

Click on the link for quick access to the NPRM/Rule: Cyber Rule for Breach