SEC cyber incident reporting requirements: In 2023, the US Securities and Exchange Commission (SEC) adopts rules that require registrants to disclose cyber security incidents they experience within four days of determining their significance and to disclose important information regarding their cybersecurity risk management, strategy, and governance every year. However, as the Center for Security Law and Policy has noted, the Securities and Exchange Acts that the SEC relies on for its rules do not specifically address cybersecurity.
FCC data breach reporting rules: In 2023, the US Federal Communications Commission (FCC) revised and strengthened its data breach notification rules for telecommunications providers to protect against improper use or disclosure of customer data. In issuing its new rules, the FCC significantly expanded its enforcement authority under the Communications Act, which dealt with the protection of a much smaller category of customer data called customer proprietary network information (CPNI) and not the broader scope of customer data reflected in the Commission’s rules.
CISA incident reporting requirements: In April 2024, the US Cybersecurity and Infrastructure Security Agency (CISA) proposed legislation to implement cyber incident reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This law is not scheduled to be finalized until 2025. However, in developing its rule, CISA had to interpret CIRCIA broadly.
Source link