Skip to main content
close search
site logo
Dive Brief

Industry stakeholders seek 30-day delay for CIRCIA comments deadline

Industry officials are asking for additional time to comb through hundreds of pages of detailed rules about disclosure of covered cyber incidents and ransom payments.

Published April 8, 2024
David Jones's headshot
Reporter
Oil Or Gas Transportation With Blue Gas Or Pipe Line Valves On Soil And Sunrise Background
onurdongel via Getty Images

Dive Brief:

  • More than two dozen industry stakeholders, including the U.S. Chamber of Commerce, are seeking to extend the deadline to file comments on the Cyber Incident Reporting for Critical Infrastructure Act, according to a letter released Friday. The new deadline would be July 3 if the requested 30-day delay is granted. 
  • The Cybersecurity and Infrastructure Security Agency issued the notice for CIRCIA, which will require critical infrastructure providers to report significant cyber incidents within 72 hours of discovery and report ransom payments within 24 hours. The notice was published Thursday in the Federal Register and currently has a June 3 deadline for public comments.
  • The letter, signed by a range of industry groups including the American Bankers Association, National Retail Federation and American Petroleum Institute, is asking for additional time to absorb the complex set of regulations involved in reporting covered cyberattacks and breaches as well as reporting payments to federal authorities.

Dive Insight:

CIRCIA would potentially cover more than 316,000 different organizations and cost about $2.6 billion over the period of analysis. There are 16 designated critical infrastructure sectors and a number of them have already seen regulators implement additional measures in a bid to help them better prepare for malicious threat activity. 

“There are many areas that need to be discussed in detail, including the definition of a covered entity, how the data will be used, whether the regulatory harmonization is workable and the penalties for not filing on time,” said Ari Schwartz, coordinator for Cybersecurity Coalition and the Center for Cybersecurity Policy and Law and one of the lead authors of the letter. 

CIRCIA, which passed in 2022, gives CISA additional authorities to compel critical infrastructure to provide specific information about cyber incidents and ransom payments. For example a request for information or subpoena can be issued and if those don’t work, a civil action can be brought to federal district dourt to enforce such measures, according to the documents. 

Another important issue is how these requirements will be harmonized with other federal disclosure rules, such as required disclosures from the Securities and Exchange Commission and other regulatory bodies, so companies aren’t forced to answer duplicative requests.

Various federal agencies have stepped up efforts in recent years to tighten cybersecurity requirements of their respective agency sectors.

Just last month the Environmental Protection Agency and White House met virtually with state homeland security and other officials over measures designed to prepare the public water sector against active threats from state-linked threat groups that have targeted drinking water and wastewater treatment providers.

Editors' picks

Company Announcements

View all | Post a press release
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Strategy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell