Carriers Face Diverse Cybersecurity Reporting Requirements as CISA Considers Rules
Sometime in October 2025, expect the Cybersecurity and Infrastructure Security Agency to issue rules requiring that companies report cyber incidents and ransomware payments, Wiley's Sydney White said during the second part of an FCBA CLE on Thursday (see 2405090051). The rules are part of additional authority CISA received under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Numerous cyber incident-reporting requirements exist, so new requirements will add to companies' reporting burden, experts said.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Covered entities, across 16 critical infrastructure industries, must report cyber incidents within 72 hours of when the company determines they occurred under the proposed rules, White said. Ransomware payments must be reported within 24 hours, she said. “Maintaining a huge quantity of information is difficult” as is “being able to sort through that information,” she said, so CISA may have difficulty processing all the information it will receive, she said.
CISA is proposing broad requirements, said Traci Biswese, NCTA vice president and associate general counsel. “CISA has scoped the proposed rules to go beyond the text, some would say, of CIRCIA and possibly the intentions of Congress,” she added. CISA’s NPRM “suggests that simply operating within a critical infrastructure sector makes a company subject to CIRCIA reporting,” Biswese said.
CISA proposes some exemptions from reporting requirements, including for common occurrences like blocked phishing schemes or failed attempts at penetrating a system, Biswese noted. “Some say overall the guidance errs on the side of over-reporting,” she said: “The end result is a highly extensive or expansive notion of substantial cyber incidents on top of the expansive scope of entities covered by the rules.”
Incidents that may have little or no effect on critical infrastructure or the public may trigger reporting obligations, Biswese said. “We’ll see whether this is indeed what Congress intended,” she said, warning the reporting requirements could prove a time-consuming distraction for covered companies.
“There are many, many, many existing incident reporting structures today,” said Melanie Tiano, T-Mobile director-government affairs. For example, under the FCC’s customer proprietary network information (CPNI) rules, carriers must notify the FCC of a breach as soon as practical but not later than within seven business days, she said. New rules require notification of incidents beyond CPNI (see 2312220054), she said.
The FCC has outage reporting obligations and 911 outage reporting requirements, Tiano said. Under its new rules, the SEC requires public companies to report material cybersecurity incidents within four business days, she said. In addition, the FTC has reporting requirements, including the safeguards rule, which was recently revised, she said. States also have breach notification laws, Tiano said, and their timelines and requirements vary, she said. Some carriers face international reporting obligations, she said.
Justin Perkins, CTIA director-cybersecurity and policy, agreed that communications providers already face myriad reporting requirements. “It could potentially have a negative impact … when the cybersecurity professionals have to devote their time and attention to making these difficult, sometimes subjective determinations in the reports, rather than focusing their attention on actually responding” to incidents, Perkins said.
Companies see “hundreds and hundreds of cyber incidents” each day, “not all of which are designated as significant,” said Wilkinson Barker’s Savannah Schaefer. Another concern with CISA's rules is ensuring that supplied data is protected, she said. “Just as companies are thinking critically every day about how they maintain the security of [stored and transited] data ... we want CISA to be thinking about protecting the data that gets shared with them.”
Tiano called for greater harmonization of CISA and other reporting requirements. Some of the regulations require public filings, others are nonpublic, she said. “That needs to be really carefully balanced,” Tiano said, adding “it’s very clear that CISA understands the importance of harmonization and is thinking about it.”
There are challenges, including varying definitions, timelines, triggers for reporting and content requirements, Tiano said. “They do not all sync,” she said. Some reporting could be redundant, she said. In some cases, state rules require reports when federal reports are filed, she said. One incident could trigger “dozens of reporting obligations.”