Top US Cyber Agency Pushing Toward First Hack Reporting Rule

A new US notification requirement for victims of malicious hacks could push in-house counsel to disclose cyberattacks when faced with ransomware and other network compromises.

Among the first-ever cyber regulations to be enforced by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the top US cyber authority, the proposed rules would require companies in 16 critical infrastructure sectors—including healthcare, energy, and finance—to report security incidents within three days and ransomware payments in 24 hours.

CISA’s proposed rule is part of a US effort to shore up defenses against the increasingly disruptive attacks of cyber criminals and nation-backed hacking groups, while simultaneously streamlining overlapping and inconsistent breach-notification reporting requirements across sectors. The rule would nudge companies toward new hiring and staff retraining, and push general counsel toward more active cybersecurity responsibilities.

The Biden administration set December 2025 as the deadline for the final rule, which was mandated in the Cyber Incident Reporting for Critical Infrastructure Act of 2022.

“One glaring challenge has been our cyber incident reporting system, which has recently been revealed as a bureaucratic maze,” said Jackie Singh, a consultant who was a senior cybersecurity staffer in the Biden campaign. “With over 50 disparate reporting channels scattered across numerous government entities, this broken system represents a potential Achilles’ heel. Agility is key to withstand cyber threats in a resilient manner; convoluted reporting structures don’t fit into what we commonly think of as ‘agile.’”

Companies only compound cyber threats when they delay reporting information that could protect other companies or national security, Singh said.

The agency’s new rule is designed to encourage greater visibility into cyber incidents with security implications beyond a single company, so information submitted in the breach reports is guaranteed certain protections.

Chief among those: local, state, and federal governments can’t use the information in the reports to regulate a company providing notice, unless CISA believes it is witholding incident information; in that case, the agency can subpoena the company and subject it to daily monetary fines. If the rule is approved, company reports may also receive attorney-client privileges and be exempted from the Freedom of Information Act.

Many of the existing 52 enacted or proposed federal cybersecurity breach reporting requirements are sector-specific, making CISA’s approach markedly different as it positions itself as an industry-friendly agency, said Justin Herring, a partner at Mayer Brown LLP and former cybersecurity regulator with the New York State Department of Financial Services.

“At least with respect to notification and the requirements to reporting, this will be the most cross-industry rule that I can think of, definitely at the federal level, and that will give them an opportunity to create rules like this for industries that don’t have a close regulator,” said Herring. But CISA’s powers as a regulator aren’t fully fleshed out, he said, because it can’t yet prescribe security measures, instead relying on enforcement referrals to the Department of Justice.

“This may be the first baby step towards CISA taking on those kinds of regulatory powers,” Herring said.

CISA’s Approach

The cybersecurity agency is expected to request more technically detailed disclosures than most federal agencies, given its posture as a clearinghouse for timely incident information and resources, said Nick Sanna, president of the FAIR Institute, which created an economic-based cyber risk analysis framework.

“CISA’s motive is more to help protect the company and they play a real role in terms of information sharing of what threats are most prevalent right now,” Sanna said.

At the same time, the agency should be wary of requesting so much information that it enables other companies or threat actors to identify the initial victim from CISA’s warnings, he added.

The law mandating CISA’s rule development doesn’t focus on requirements for specific critical infrastructure sectors, but instead appears most targeted on combating ransomware attacks, said Ben Miller, vice president of services at Dragos Inc., a cybersecurity firm that focuses on industrial controls, systems that manage machines and manufacturing.

“They definitely don’t have their arms around the volume of activity that’s going on within the sectors as it relates to ransomware. I think it’s much larger than we feel at times, and there are impacts into the OT and critical infrastructure environments,” Miller said, referring to operational technology networks where machines connect to other machines.

In response to interview requests with CISA officials, the agency pointed Bloomberg Law to a March update from Executive Director Brandon Wales detailing feedback it received from the public and explaining that increased reporting will enable “the agency to spot trends in real-time” and “fill critical information gaps.”

CISA’s menu of security remedies is complicated by the conflicting interests of victims and their industry peers who could be next on an attacker’s list. While victims may hesitate to disclose explicit details of a security compromise, CISOs managing their own networks want all of the details they can get to bolster defenses, said Bob Olsen, the global head of cybersecurity and privacy at the consulting firm, Ankura.

So far, regulators are siding with attack victims, but agencies like CISA or law enforcement could better standardize what incident information gets shared with the public, he said. CISA recently launched a warning system to flag common ransomware vulnerabilities and built an interagency task force to coordinate ransomware defenses.

After serving as a CISO in several critical infrastructure sectors, Olsen is clamoring for more information from the agency. He recalled scenarios in which he was alerted by an agency that his sector was being actively targeted by threat actors, but given no further details.

“They’re sort of presupposing what information would be helpful for me to then go take action to be proactive, but it isn’t always the case,” Olsen said. Consistently receiving indicators of compromise—such as malicious email accounts or internet addresses—for example, would be helpful because it allows companies to preemptively block network activity from accounts hackers may be using, he said.

Streamlining Cyber Requirements

CISA is developing its first regulation while the Biden administration is also assessing how to best reduce duplicative reporting requirements and standardize cybersecurity terminology. A comprehensive look at that approach came in a Sept. 19 DHS report centered on cyber harmonization, listing eight recommendations for federal agencies.

In a statement released alongside the report, CISA Director Jen Easterly said the recommendations and input sent directly to the agency would “help inform” the proposed rule. The recommendations included a template incident reporting form, standardized definition of a cyber incident, and model timelines for reporting breaches. Federal agencies should assess the viability of establishing a single online incident reporting portal, rather than each maintaining their own, the report suggested. It said agencies should clarify which data fields are essential and which may be withheld, at least temporarily.

The report also acknowledged the challenge of harmonizing reporting requirements across 33 federal departments and agencies, given diverging and overlapping requirements. Duplicative reporting can impede a victim’s ability to best focus resources on mitigating a security breach, and inconsistencies in how agencies collect incident data can make it harder for the government to elucidate trends, the report found.

But the longer the agency takes to finalize the requirements, the longer the list of cybersecurity breach victims becomes, said Joshua Corman, former chief strategist of CISA’s Covid task force.

“For something born out of a sense of urgency, this slow and methodical process lacks that urgency for something that shouldn’t be very complicated, carries no penalties and only exists to enable the government to do its job,” Corman said.