incident reporting

The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) will require critical infrastructure entities to report cyber incidents to CISA within 72 hours and ransomware payments within 24 hours, with the final rule now expected May 2026.

The SEC's cybersecurity disclosure rules face political uncertainty under the new administration. The SolarWinds case was dismissed, but the new CETU signals continued enforcement focus.