Top US Cyber Agency Pushing Toward First Hack Reporting Rule
A new US notification requirement for victims of malicious hacks could push in-house counsel to disclose cyberattacks when faced with ransomware and other network compromises.
Among the first-ever cyber regulations to be enforced by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the top US cyber authority, the proposed rules would require companies in 16 critical infrastructure sectors—including healthcare, energy, and finance—to report security incidents within three days and ransomware payments in 24 hours.
CISA’s proposed rule is part of a US effort to shore up defenses against the increasingly disruptive attacks of cyber criminals and nation-backed hacking groups, while simultaneously streamlining overlapping and inconsistent breach-notification reporting requirements across sectors. The rule would nudge companies toward new hiring and staff retraining, and push general counsel toward more active cybersecurity responsibilities.
The Biden administration set December 2025 as the deadline for the final rule, which was mandated in the Cyber Incident Reporting for Critical Infrastructure Act of 2022.
“One glaring challenge has been our cyber incident reporting system, which has recently been revealed as a bureaucratic maze,” said Jackie Singh, a consultant who was a senior cybersecurity staffer in the Biden campaign. “With over 50 disparate reporting channels scattered across numerous government entities, this broken system represents a potential Achilles’ heel. Agility is key to withstand cyber threats in a resilient manner; convoluted reporting structures don’t fit into what we commonly think of as ‘agile.’”
Companies only compound cyber threats when they delay reporting information that could protect other companies or national security, Singh said.
The agency’s new rule is designed to encourage greater visibility into cyber incidents with security implications beyond a single company, so information submitted in the breach reports is guaranteed certain protections.
Chief among those: local, state, and federal governments can’t use the information in the reports to regulate a company providing notice, unless…
