As the frequency and cost of responding to cyberattacks has escalated, federal and state regulators have imposed increased regulations and disclosure requirements for cyber incidents. The proliferation of requirements increases the complexity of responding to incidents and has led to overlapping and duplicative regulations, as the White House and Congress have now recognised.
Shifting expectations
Incident reporting has traditionally focused on state data breach regimes and a few sectoral mandates at the federal level. Over the past several years, this has changed. During the Biden Administration, mandatory incident reporting requirements began to reshape the cyber legal landscape, both within agencies and coming from Congress. In the Executive Branch, departments and agencies layered new and varied rules on top of the existing patchwork of state breach reporting requirements that complicate corporate compliance efforts. In December 2023, new rules from the Securities and Exchange Commission (SEC) mandate that public companies publicly disclose 'material cybersecurity incidents' within four business days of determining that the incident will have a material impact,1 adding to an already complicated cybersecurity landscape of federal and state regulations. Additionally, the Department of Defense (DOD) updated its regulatory requirements in May 2024, which require that government contractors 'rapidly report' a 'cyber incident' within 72 hours of discovery under the defence federal acquisition regulations on safeguarding covered defence information and cyber incident reporting.2
In 2022, Congress took action on reporting, passing the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) that requires hundreds of thousands of organisations to report significant cyber incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA) within tight time frames under rules that are supposed to be in effect by the autumn of 2025. Congress intended CIRCIA to serve as the primary cyber incident reporting regime for critical infrastructure and to mitigate existing harms from the current 'patchwork' of sector-specific regulations, though the law itself did not mandate deconfliction. State obligations also increased, as noted below.
The Trump Administration inherits several new and proposed cyber reporting rules, at a time when it is otherwise emphasising a deregulatory approach that may cause these regulations to be reviewed or possibly rescinded. On Inauguration Day, President Trump issued a Memorandum for the Heads of Executive Departments and Agencies implementing a 'regulatory freeze' pending further review.3 On 31 January 2025, the Trump Administration also announced the '10-to-1 Deregulation Initiative', when President Trump issued Executive Order 14192 entitled 'Unleashing Prosperity Through Deregulation'.4 The Executive Order directs agencies to 'identify at least 10 existing regulations to be repealed' when new regulatory obligations are promulgated.5 Additional deregulatory efforts continue across the federal government.
Interested parties are engaging with the Administration to advocate for fewer costly and burdensome regulations and the repeal of regulations that are duplicative or inconsistent with Congressional intent. Against this backdrop, it is likely, then, that during the Trump Administration, existing cybersecurity regulations could be scaled back, vacated or at least deconflicted.
A variety of mandatory reporting obligations exist or are proposed
Cyber incident reporting falls into two categories: mandatory and voluntary. Organisations must comply with statutory or regulatory requirements but often will voluntarily report incidents to law enforcement or certain regulators as a courtesy or in an abundance of caution where a rule is unclear. The mandatory or voluntary cyber incident reporting discussed in this chapter concerns the cybersecurity incident itself and not other federal or state regulatory notification obligations for data breaches involving the compromise of sensitive information. Organisations should also determine to what extent they may have additional independent contractual notification obligations.
CISA
The CIRCIA requires the Department of Homeland Security and CISA to develop and implement regulations requiring covered entities in critical infrastructure to report covered cyber incidents and ransomware payments to CISA.6 The proposed rules, pending as of the time of writing, would apply to entities in the 16 critical infrastructure sectors, which are broadly defined: chemical; commercial facilities; communications; critical manufacturing; dams; defence industrial base; emergency services; energy; financial services; food and agriculture; government services and facilities; healthcare and public health; information technology; nuclear reactors, materials and waste; transportation systems; and water and wastewater systems.7
These proposed rules are not yet final and may be withdrawn. CISA issued a Notice of Proposed Rulemaking (NPRM) in March 2024,8 which would require critical infrastructure entities to report 'covered cyber incidents' within 72 hours and report a ransomware incident within 24 hours of payment. CISA's approach to covered cyber incidents is focused on 'substantial' cyber incidents, but the term 'substantial' has been construed broadly and leaves ambiguities. Additionally, in the NPRM, CISA addresses myriad issues including data preservation mandates and recordkeeping requirements for covered entities, and protections for information that covered entities report.
Following CISA's release of the CIRCIA NPRM, industry and cybersecurity leaders in Congress objected to the overly complex and sweeping approach to reporting CISA proposed. One of the biggest issues facing CISA's new proposed rules may be how to deconflict and harmonise disparate requirements. Industry has championed a 'common form' in supplemental CIRCIA comments that could work across agencies, but it is unclear if the agencies will go that route. Agencies could work with CISA to accept incident reports from another agency in lieu of a CIRCIA report to avoid duplicative reporting. Although the CIRCIA NPRM released in 2024 seemed to narrow opportunities for such agreements, the Trump Administration's focus on reducing government waste may reopen the opportunity for CISA/agency agreements.9 At a minimum, greater reliance on the CISA portal and use of a common form under agencies' incident reporting rules could provide at least some relief to companies facing duplicate requirements.
As companies begin to work through all of these details, it will be important to assess whether an organisation fits within the broad scope of the proposed definition of 'covered entity'; how an organisation would be able to operationalise these comprehensive, onerous and fast reporting requirements for 'covered cyber incidents' and ransom payments; and how such requirements harmonise – or create tension – with an organisation's current regulatory and contractual incident reporting requirements.
If these rules were to take effect, hundreds of thousands of organisations in the United States – and potentially non-US companies that have US subsidiaries and operations in the broadly defined critical infrastructure sectors – will face broad new reporting obligations for an array of incidents that now are not subject to mandatory reporting.
SEC
Incident reporting became more complex in late 2023 when the SEC adopted new cyber incident disclosure rules. Effective in December 2023, the SEC adopted cyber incident reporting rules that require public disclosures of material cybersecurity incidents within four days of a materiality determination for companies subject to filing Form 8-Ks.10 The SEC said the rule is designed to keep investors informed about a company's material cybersecurity incidents and its cybersecurity risk management, strategy and governance mechanisms.
Covered companies or registrants are required by this rule to publicly disclose a 'material' cybersecurity incident within four business days of determining that the incident is 'material'.11 The deadline is not four days after the incident but four business days after the company determines the incident is material.
The SEC declined to articulate a new standard for materiality but is using its familiar standard, which is to provide disclosure to help investors assess the risks to their investments the same way they would receive comparable disclosure about other risks that public companies face. The SEC explained that it is using the materiality standard because 'material' is a touchstone in securities law and connects disclosure to the needs of investors.12 A material cybersecurity incident is one that a reasonable shareholder would consider important in making an investment decision.13
In the face of criticism and comments about practical concerns, the SEC recognised that information on a reported cybersecurity incident may evolve in pieces, so the final rules do not require updated reporting for all new information.14 Instead, Instruction 2 to Item 1.05 directs companies to file an amended Form 8-K with respect to any information called for in Item 1.05(a) that was not determined or unavailable at the time of the initial Form 8-K filing.15 The SEC also reminded entities that they may have a duty to cure prior disclosures to the extent that information provided therein turns out to have been untrue or misleading, including by omission.16
The SEC's breach reporting rules have a narrow exception to the reporting requirement for public disclosures that harm national security or public safety, but new guidelines issued recently by the Department of Justice (DOJ) indicate that such delays will be granted sparingly and only in the most extraordinary of circumstances.17 A covered company or registrant may delay disclosure for up to 30 days from the normal disclosure deadline, but only where 'the Attorney General determines that the disclosure poses a substantial risk to national security or public safety and notifies the Commission of such determination in writing'.18 Delays may be extended for an additional 30 days.19 In extraordinary circumstances, the SEC will allow an additional 60-day delay where disclosure 'continues to pose a substantial risk to national security' and the Attorney General notifies the Commission accordingly.20
The FBI is responsible for handling delay requests, coordinating with relevant national security and public safety entities and referring those requests to DOJ for adjudication.21 Delay requests will not be processed unless the request is made immediately upon a company's determination of materiality.22 The US government has delayed public disclosure of cyber incidents several times since the SEC rules came into effect.23 Due to the tight reporting time frames, public companies or registrants should think about reaching out to the FBI before making a materiality determination if they believe that disclosure of a cyber incident may pose a substantial risk to national security or public safety.
The spectre of liability under the securities laws and this prescriptive rule adds another layer of complexity to incident response. Companies must consider evolving facts and the risk of hindsight, suggesting that an incident should have been disclosed earlier or differently as facts and impacts evolved. Public disclosure on the SEC's timeline risks prematurely alerting bad actors or opportunists and is in tension with the protected reporting envisioned by CIRCIA and many other reporting regimes.
DOD
The DOD, through the Defense Federal Acquisition Regulations (DFARS) 252.204-7012, requires contractors to provide adequate security24 on all covered contractor information systems and to rapidly report cyber incidents25 involving covered defence information within 72 hours. Reports can be made online through the Defense Industrial Base (DIB) Cybersecurity Portal. The amount of information required to be reported within 72 hours is frequently a challenge for many organisations as they begin to struggle with the impact of a cyber incident.
Specifically, US government contractors must report cyber incidents to the DOD when: (1) the contractor discovers a cyber incident that affects a covered contractor information system; or (2) covered defence information on the contractor's information system; or (3) that affects the contractor's ability to perform the requirements of the contract that are 'operationally critical support' as identified in the contract. 26 Reporting requirements include describing the type of incident and detection method, and require preservation of affected information systems to allow the DOD the opportunity to request the media or decline interest (preservation is required for up to 90 days after submitting a report).
The DOD established the Cybersecurity Maturity Model Certification (CMMC) programme to verify that contractors have implemented required security measures to safeguard Federal Contract Information and controlled unclassified information (CUI).27 The DOD's CMMC rule establishes mechanisms that will permit the DOD to confirm that a defence contractor or subcontractor has implemented the security requirements for a specified CMMC level and is maintaining that status (meaning level and assessment type) across the contract period of performance. 28 The DOD implemented the requirements of the CUI Program through DFARS Clause 7012 and has also proposed amending the DFARS to incorporate contractual requirements associated with the CMMC to verify contractor implementation of security controls.29
The Federal Acquisition Regulatory (FAR) Council published a proposed rule on 15 January 2025 to incorporate the CUI Program into the acquisition process and more clearly define government and contractor roles and responsibilities for handling CUI.30 The proposed FAR rule requires federal contractors to report cyber incidents within eight hours of discovery. These requirements are inconsistent with the 72-hour reporting requirements in the DFARS as well as reporting under CIRCIA.
At the time of writing, it is not clear whether this proposed rule could be affected by President Trump's presidential memorandum on freezing regulations pending review.31 The proposed FAR rule has been years in the making – and while the new Trump Administration could alter it, US defence contractors should be prepared for the rule to move forward in some form because contractor cybersecurity and safeguarding CUI has stretched across several presidential administrations, including the first Trump term. The proposed rule includes internal implementation guidance to contracting officers, CUI contract clauses and forms, a general CUI solicitation provision and conforming edits to the terms and conditions for contracts for commercial products or commercial services for all services (except those exclusively for commercially available off-the-shelf items).
Transportation Security Administration
The US Transportation Security Administration (TSA) is responsible for safeguarding four general modes of land-based transportation: mass transit, freight rail, highway motor carriers and pipeline, and maritime security efforts.32 In May 2021, Colonial Pipeline halted its pipeline operations due to a ransomware attack that disrupted critical supplies of gasoline and other refined petroleum products throughout the East Coast of the United States.
In response, on 27 May 2021, the TSA issued Security Directive Pipeline-2021-01 requiring owners and operators of critical pipeline systems and facilities to take certain specific preventative measures to enhance pipeline security.33 The Security Directive also required owners and operators of critical pipelines to promptly report cybersecurity incidents to CISA 'as soon as practicable, but no later than 24 hours after a cybersecurity incident is identified'. If the required information is not available at the time of reporting, owners and operators must submit an initial report in the specified time frame and provide supplemental information within 24 hours of it becoming available. All reported information will be protected in a manner appropriate for the sensitivity and criticality of the information.
TSA next expanded those same Security Directive authorities to assess threats to transportation and enforce security-related regulations and requirements to issue these security directives to rail transit owners and operators to immediately protect transportation security.34 As a result, passenger35 and freight36 rail owners and operators are also required to report cybersecurity incidents to CISA 'as soon as practicable, but no later than 24 hours after a cybersecurity incident is identified'.
TSA's 24-hour reporting obligations have only been in Security Directives for pipeline, freight rail, passenger transit and public transportation owners and operators, but TSA has similar national emergency powers with respect to maritime transportation, including port security, and may soon seek to issue additional Security Directives to enhance cybersecurity efforts in maritime cargo shipping, navigation or communication, commercial fishing or cruise lines.
After relying on repeated invocations of emergency powers, TSA is moving toward formal rules. In November 2024, it issued an NPRM to impose cyber risk management requirements on certain pipeline and rail owners and operators, and a more limited requirement on certain over-the-road owners and operators, to report cybersecurity incidents.37 The TSA NPRM incorporates the 24-hour requirement to report cyber incidents as set forth in the Security Directives with no changes. This NPRM does not appear to consider harmonisation with rules such as the SEC incident disclosure rules or CIRCIA implementation.
Given the Trump Administration's deregulatory approach, it is uncertain at this time whether the TSA NPRM will result in new rules or whether it will be rescinded and reconstituted in light of new presidential priorities.
New York Department of Financial Services
At the state level, in November 2023, the New York Department of Financial Services (NYDFS) adopted amendments to its Cybersecurity Requirements for Financial Services Companies, which add to the existing requirement for a covered entity to notify the agency no later than 72 hours after determining a cybersecurity incident has occurred.38 As of 1 December 2023, covered entities must notify NYDFS of certain ransomware incidents and are also subject to a continuing obligation for the covered entity to update the agency with material changes or new information that was previously unavailable. NYDFS has also expanded the scope of reportable cybersecurity incidents to those at a covered entity's affiliates or a third-party service provider.
Voluntary reporting is an important consideration for victims
Organisations living through a cyber incident grapple with the option of voluntarily reporting cyber incidents, usually to either the FBI or CISA. Voluntary reporting can be helpful for a cyberattack victim, because victims can access information and expertise held by the government about threat actors, such as ransomware gangs and nation-state actors. By working with the FBI, victims can demonstrate that they were proactive and may be able to provide information that helps law enforcement or national security agencies make progress against threat actors.
There are two main voluntary reporting mechanisms:
- The FBI's Internet Crime Complaint Center (IC3) receives complaints involving internet crimes such as hacking, business email compromises or ransomware attacks through the IC3 portal at https://www.ic3.gov/. Once a complaint is filed, the FBI notifies CISA and coordinates with other relevant government agencies (including foreign law enforcement or internal security services). As noted, the FBI can provide valuable information about threat actors and their tactics, can review and correlate indicators of compromise and can also provide technical assistance.
- Companies can also report cybersecurity incidents, phishing attempts, malware or other cyber vulnerabilities through CISA's reporting portal or by calling +(888) 282-0870. This is different from the vulnerability reporting programme that is also an important part of CISA's work. CISA will triage and analyse reports and may share anonymised information with others. Though not statutorily required, voluntary reporting may help with regulators who look favourably upon cooperation with law enforcement in particular.
Victims have a lot to consider as they work through incidents. The FBI, Secret Service and other law enforcement agencies regularly work with victims and are important resources to consider.
Regulatory harmonisation could rationalise incident reporting obligations
The dramatic increase in cybersecurity regulatory requirements in the past few years has led to overlapping and duplicative regulations for organisations, which has been recognised by the White House and Congress. Congress is becoming increasingly concerned about the need for cybersecurity regulatory harmonisation with burgeoning federal agency requirements. Key congressional cybersecurity leaders have championed harmonisation and may take action, through oversight or legislation.
In particular, the House Homeland Security Committee and Cybersecurity and Infrastructure Subcommittee have held hearings and conducted oversight of cybersecurity and incident reporting harmonisation.39 These hearings showed consensus among members of the Committee on the overly expansive approach of the CIRCIA NPRM and its failure to advance harmonisation in contravention of Congress' direction. On cyber incident reporting, these hearings have brought into focus the 54 different cyber incident reporting regimes on the federal level and countless state and local requirements with which the private sector must comply. Although cyber incident reporting requirements have been proposed or issued by the SEC, the FAR Council, DOD, TSA and the Coast Guard, there have been minimal efforts to consider existing incident-reporting regimes and either harmonise or provide reciprocity with similar regimes.
An uncertain reporting environment has implications for business
With an almost fervent mission for deregulation, the Trump Administration is shifting priorities to reduce regulatory burdens and eliminate anticompetitive practices. Congress also seems to be increasingly focused on streamlining cybersecurity requirements and enhancing information sharing while reducing regulatory burdens and compliance costs. As a result, the current regulatory environment is fluid and subject to change at any time.
Organisations will need to understand all of these competing regulatory requirements and keep abreast of changes in reporting requirements as they occur. The complex and diverse range of confidential and public reporting requirements inevitably influences how regulatorstreat incidents and victims. As a result, companies may want to review their incident response plans now to build in early consideration of their respective reporting requirements and possible coordination with law enforcement regarding the prospects for public reporting delays based on threats to national security or public safety. Companies may also want to invest time before a cyber incident in working relationships with trusted counsel and internal security stakeholders, including in-house counsel, who can interact with government stakeholders, as appropriate, during an incident.
Companies should take a risk-management approach to maintaining reasonable cybersecurity programmes. In the absence of comprehensive federal law or applicable sector-specific requirements, companies can look to federal contracting requirements, National Institute of Standards and Technology publications and governmental regulatory action, such as Security Directives issued to the transportation sector, for guidance to build effective and defensible programmes. Such programmes need to adapt to new threats and to new indications from federal and state governments of regulatory risk.
Footnotes
1. Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release Nos. 33-11216; 34-97989 (26 July 2023) [88 FR 51896 (4 August 2023)] ('Adopting Release').
2. See Safeguarding Covered Defense Information and Cyber Incident Reporting, Defense Federal Acquisition Regulation 252.204-7012 (17 January 2025).
3. Presidential Memorandum, Regulatory Freeze Pending Review, 90. Fed. Reg. 8249 (20 January 2025). https://www.federalregister.gov/documents/2025/01/28/2025-01906/regulatory-freeze-pending-review.
4. Unleashing Prosperity Through Deregulation, Executive Order (31 January 2025), available at https://www.whitehouse.gov/presidential-actions/2025/01/unleashing-prosperity-through-deregulation/.
5. id. § 3.
6. National Security Memorandum (NSM)-22, Critical Infrastructure Security and Resilience (April 30, 2024), expressly rescinds and replaces Presidential Policy Directive – Critical Infrastructure Security and Resilience 21 (PPD-21), (12 February 2013); https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil.
7. See NSM-22.
8. See Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements, Department of Homeland Security, Cybersecurity and Infrastructure Security Agency, 89 FR 23644 (4 April 2024); https://www.sec.gov/files/rules/final/2023/33-11216.pdf.
9. The FAR and TSA incident reporting rules already require reports to be filed through the CISA portal.
10. Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release Nos. 33-11216; 34-97989 (26 July 2023) [88 FR 51896 (4 August 2023)] ('Adopting Release') https://www.sec.gov/files/rules/final/2023/33-11216.pdf.
11. The SEC has criticised the practice of filing 'voluntary' cyber incident disclosures by companies that have not determined that their respective incident had a material impact on overall 'financial condition and results of operations' of the company. See Disclosure of Cybersecurity Incidents Determined To Be Material and Other Cybersecurity Incidents, SEC, Statement of Erik Gerding (21 May 2024), https://www.sec.gov/news/statement/gerding-cybersecurity-incidents-05212024. Instead, the SEC emphasises that under the rule, a cyber incident disclosure under Item 1.05 is not 'voluntary' and the requirement 'is not triggered until the company determines the materiality of an incident'. The statement reflects the SEC's concern that voluntary disclosures of incidents under Item 1.05 that do not reach the materiality threshold or where the company has not made a materiality determination will be confusing for investors.
12. See Cybersecurity Disclosure, SEC, Statement of Erik Gerding, Director, Division of Corporation Finance (14 December 2023). https://www.sec.gov/newsroom/speeches-statements/gerding-cybersecurity-disclosure-20231214#_ftn1.
13. The SEC affirmed that the materiality standard companies should apply for the cybersecurity incident disclosure is the same standard articulated by the Supreme Court in cases such as TSC Industries, Inc. v. Northway, 426 U.S. 438, 449 (1976), Basic, Inc. v. Levinson, 485 U.S. 224, 232 (1988), and Matrixx Initiatives, Inc. v. Siracusano, 563 U.S. 27 (2011) as well as in Commission rules, 17 CFR 230.405; 17 CFR 240.12b-2.
14. SEC Adopting Release at 51.
15. SEC Adopting Release at 51.
16. SEC Adopting Release at 51–52.
17. See Department of Justice Material Cybersecurity Incident Delay Determinations (12 December 2023), available at https://www.justice.gov/media/1328226/dl?inline.
18. SEC Adopting Release at 34.
19. SEC Adopting Release at 34. The Attorney General must notify the Commission of this determination in writing.
20. SEC Adopting Release at 34-35. This additional 60-day in extraordinary circumstances would be 120 days from the original disclosure obligation. Beyond the final 60-day delay, if the Attorney General indicates that further delay is necessary, the Commission may grant such additional relief through exemptive order.
21. See FBI Guidance to Victims of Cyber Incidents on SEC Reporting Requirements: Request a Delay, Federal Bureau of Investigation (undated) https://www.fbi.gov/investigate/cyber/fbi-guidance-to-victims-of-cyber-incidents-on-sec-reporting-requirements-request-a-delay.
22. See SEC Reporting Requirements Delay Request Form, Federal Bureau of Investigation (undated) https://sec8k.ic3.gov/.
23. See SEC Cyber Disclosures Delayed Several Times Since December, Wall Street Journal (updated 6 June 2024). https://www.wsj.com/articles/sec-cyber-disclosures-delayed-several-times-since-december-4abb0e65.
24. 'Contractor information systems' are defined as an unclassified information system owned or operated by or for a contractor and that processes, stores, or transmits covered defence information. 48 CFR §52.204-21(referencing contract clause requirement in 48 CFR § 4.1903). Adequate security measures include, as applicable, implementation of the security requirements in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, 'Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations' in effect at the time the solicitation is issued or as authorised by the contracting officer. See Contractual Remedies to Ensure Contractor Compliance with Defense Federal Acquisition Regulation Supplement Clause 252.204-7020; and Additional Considerations Regarding National Institute of Standards and Technology Special Publication 800-171 Department of Defense Assessments, Office of the Under Secretary of Defense, U.S. Department of Defense (16 June 2022).
25. A 'cyber incident' includes actions taken through the use of computer networks that result in a compromise or an information system or information on an information system.
26. 'Controlled unclassified information' (CUI) is information that requires safeguarding or dissemination controls in accordance with Executive Order 13556 'Controlled Unclassified Information' (November 4, 2010) and 32 CFR Part 2002, 'Controlled Unclassified Information'. 'Covered contractor information system' means an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores or transmits covered defense information; 'covered defense information' means unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html, that requires safeguarding or dissemination controls and is marked or identified in the contract and provided to the contractor by or on behalf of DoD in support of performance of the contract or is collected by or on behalf of the contractor in support of the performance of the contract. See DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, Section (a).
27. See Department of Defense, 'Cybersecurity Maturity Model Certification (CMMC) Program', 89 FR 83092 (15 October 2024).
28. See Department of Defense, 'Cybersecurity Maturity Model Certification (CMMC) Program', 89 FR 83092 (15 October 2024).
29. See Department of Defense, 'Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)', 89 FR 66327 (15 August 2024).
30. See Department of Defense, General Services Administration, National Aeronautics and Space Administration, 'Federal Acquisition Regulation: Controlled Unclassified Information', 90 Fed. Reg. 9 (15 January 2025). https://www.govinfo.gov/content/pkg/FR-2025-01-15/pdf/2024-30437.pdf.
31. Presidential Memorandum, Regulatory Freeze Pending Review, 90. Fed. Reg. 8249 (20 January 2025). https://www.federalregister.gov/documents/2025/01/28/2025-01906/regulatory-freeze-pending-review.
32. See Department of Homeland Security Appropriations Act of 2005, Pub. L. 108-334 (18 October 2004); Implementing Recommendations of the 9/11 Commission Act of 2007. Pub. L. 110-53; 121 Stat.266, codified at 6 U.S.C. § 101 note (3 August 2007).
33. See TSA issued the Security Directive pursuant to 49 U.S.C. § 114(l)(2)(A) which authorises TSA to issue emergency regulations or security directives without providing notice or public comment where 'the Administrator determines that a regulation or security directive must be issued immediately in order to protect transportation security....' Security Directives are effective for 90 days unless ratified by the Transportation Security Oversight Board (TSOB) and extended for one year from the date of effectiveness. See Transportation Security Oversight Board ratification, 86 FR 38209 (19 July 2021). https://www.federalregister.gov/documents/2021/07/20/2021-15306/ratification-of-security-directive#:~:text=The%20directive%20became%20effective%20on%20May %2028%2C,three%20 crucial%20actions%20to%20enhance%20pipeline%20cybersecurity.
34. See 49 U.S.C. § 114(d) (f) (l).
35. See Security Directive 1582-21-01 series, Enhancing Public Transportation and Passenger Railroad Cybersecurity (effective 24 October 2025) identified in 49 CFR 1582.1 (public transportation and passenger railroad includes: passenger railroad carriers; public transportation agencies; rail transit systems not operating on track that is part of the general railroad system of transportation, including heavy rail transit, light rail transit, automated guideway, cable car, inclined plane, funicular and monorail systems; tourist, scenic, historic, and excursion rail owner/operators, whether operating on or off the general railroad system of transportation. This does not include a ferry system required to conduct training pursuant to 46 U.S.C. § 70103.
36. See Security Directive 1580-21-01 series, Enhancing Rail Cybersecurity (effective 24 October 2024) for freight railroad carriers identified in 49 CFR 1580.101 (Class I freight railroads) and other TSA-designated freight railroads.
37. See Enhancing Surface Cyber Risk Management, Transportation Security Administration, 89 FR 88488 (7 November 2024). Comments were due by 5 February 2025.
38. See New York State, Department of Financial Services Second Amendment to 23 NYCRR 500 (16 October 2023). https://www.dfs.ny.gov/system/files/documents/2023/10/rf_fs_2amend23NYCRR500_text_20231101.pdf.
39. H. Homeland Sec. Committee, Unconstrained Actors: Assessing Global Cyber Threats to the Homeland, 22 January 2025, https://homeland.house.gov/hearing/unconstrained-actors-assessing-global-cyber-threats-to-the-homeland/; Regulatory Harm or Harmonization? Examining the Opportunity to Improve the Cyber Regulatory Regime: Hearing Before the H. Homeland Sec. Subcomm. on Cybersecurity and Infras. Prot., 118th Cong. 1 (11 March 2025).
Originally published by Global Investigations Review
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
