By Kenya Dixon

Considering CIRCIA

On March 15, 2022, President Biden signed new bipartisan legislation which enacted the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). The new Act mandates that the Department of Homeland Security define Critical Infrastructure for purposes of reporting a significant cyber incident. CIRCIA also requires that covered incidents must be reported to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours. Additionally, CIRCIA mandates that when a covered entity makes a ransomware payment, they must notify CISA within 24 hours of the ransom payment. While CISA has identified the types of activities that will need to be reported, it has not identified every organization that will be deemed Critical Infrastructure. Thus far, there are 14 categories of CI identified by CISA, but the categories may change or increase when the final rules are promulgated. CIRCIA will not be effective until the Rulemaking process is complete.

SEC Proposed New Rules

On March 9, 2022, The Security and Exchange Commission proposed new rules to “enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and cybersecurity incident reporting by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934.” The Commission has been tightening the transparency rules for publicly traded companies to ensure that shareholders, investors, and the public have enough information to make informed decisions regarding the risk profile of a company. The newly proposed rules would require disclosure of an incident within four days of discovering a “material cybersecurity incident”. The proposed amendments require periodic disclosures about a registrant’s policies and procedures to identify and manage cybersecurity risks, management’s role in implementing cybersecurity policies and procedures, and the board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk.” The new rules would also require updates about previously reported incidents. The proposed rule discusses the delay in reporting cybersecurity incidents by companies and the need to create a fairness with regard to market pricing. One example of unfairness was the ability of malicious actors to trade on information obtained during a breach while other investors remain in the dark. The proposed rules open a publicly-traded company to additional scrutiny by investors, and The Commission thinks this is a good thing. These disclosure rules were open for comments for 60 days.

About the Author

  • Kenya Parrish-Dixon
  • General Counsel and Chief Operating Officer
  • ETRM Group

Kenya Parrish-Dixon is the General Counsel and Chief Operating Officer of ETRM Group, a cybersecurity, Information Governance, eDiscovery, and Managed Review corporate holding company. She was formerly the Director of White House Information Governance for the Executive Office of the President and before that she was the Assistant Director of the Division of Litigation Technology and Analysis at the Federal Trade Commission. She is a former defense litigator and currently sits on several industry Advisory Boards. Kenya is barred in the District of Columbia, holds the NARA Certificate of Federal Records Management, and became CEDS certified in 2012.

She received her law degree from The College of William & Mary.

About the ETRM Group

ETRM Group is a specialized risk management services firm that helps corporations, law firms, and governmental agencies protect data, leverage technology, and optimize workflows to address cybersecurity, information governance, and eDiscovery challenges and opportunities.

ETRM Group combines cyber, data, and legal experience and expertise from serving leading federal agencies and international businesses, including the Federal Deposit Insurance Corporation, the Federal Trade Commission, the White House, and Fortune 500 corporations, to support assessments and audits, implementations and investigations, and eDiscovery and litigation support.

+ Washington, DC: Worldwide Headquarters and International Support Hub

For more information about ETRM Group services, including programs, practices, and protocols for complex and sensitive enterprise risk management requirements, visit ETRMGroup.com.

Source: ETRM Group