Top US Cyber Agency Pushing Toward First Hack Reporting Rule

Many of the existing 52 enacted or proposed federal cybersecurity breach reporting requirements are sector-specific, making CISA’s approach markedly different as it positions itself as an industry-friendly agency, said Justin Herring, a partner at Mayer Brown LLP and former cybersecurity regulator with the New York State Department of Financial Services.

“At least with respect to notification and the requirements to reporting, this will be the most cross-industry rule that I can think of, definitely at the federal level, and that will give them an opportunity to create rules like this for industries that don’t have a close regulator,” said Herring. But CISA’s powers as a regulator aren’t fully fleshed out, he said, because it can’t yet prescribe security measures, instead relying on enforcement referrals to the Department of Justice.

“This may be the first baby step towards CISA taking on those kinds of regulatory powers,” Herring said.