SEC cyber incident reporting requirements: In 2023, the US Securities and Exchange Commission (SEC) adopted rules requiring registrants to disclose material cybersecurity incidents they experience within four days of determining their materiality and to disclose material information regarding their cybersecurity risk management, strategy, and governance every year. However, as the Center for Cybersecurity Law and Policy has noted, the Securities and Securities Exchange Acts upon which the SEC relied for its rules do not directly reference cybersecurity.

FCC data breach reporting rules: In 2023, the US Federal Communications Commission (FCC) updated and strengthened its data breach notification rules for communications providers to protect against improper use or disclosure of customer data. In issuing its new regulations, the FCC significantly expanded upon its enforcement authority under the Communications Act, which dealt with protections for a very narrow class of customer data called customer proprietary network information (CPNI) and not the much broader range of customer data reflected in the Commission’s rules.

CISA cyber incident reporting requirements: In April 2024, the US Cybersecurity and Infrastructure Security Agency (CISA) proposed a rule to implement the cyber incident reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The rule is not slated to be finalized until 2025. However, in developing its rulemaking, CISA had to interpret CIRCIA broadly.