On April 4, the Cybersecurity and Infrastructure Security Agency published a notice of proposed rulemaking setting out mandatory reporting requirements for covered entities that experience cybersecurity incidents or make ransom payments in relation to a cybersecurity incident. While the rule will inevitably change following the notice and comment period, the proposed rule represents the overall approach that CISA will take when it promulgates a final rule.

Originally published by Law360 - May 8, 2024.