{"id":212876,"date":"2026-05-12T16:58:00","date_gmt":"2026-05-12T20:58:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/12\/silicon-valley-snapshot-on-looming-cybersecurity-reporting-rules-top-circia-takeaways-for-the-tech-industry-fisher-phillips\/"},"modified":"2026-05-12T17:20:08","modified_gmt":"2026-05-12T21:20:08","slug":"silicon-valley-snapshot-on-looming-cybersecurity-reporting-rules-top-circia-takeaways-for-the-tech-industry-fisher-phillips","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/12\/silicon-valley-snapshot-on-looming-cybersecurity-reporting-rules-top-circia-takeaways-for-the-tech-industry-fisher-phillips\/","title":{"rendered":"Silicon Valley Snapshot on Looming Cybersecurity Reporting Rules: Top CIRCIA Takeaways for the Tech Industry | Fisher Phillips"},"content":{"rendered":"<p><a href=\"https:\/\/www.jdsupra.com\/legalnews\/silicon-valley-snapshot-on-looming-4952393\/\">Silicon Valley Snapshot on Looming Cybersecurity Reporting Rules: Top CIRCIA Takeaways for the Tech Industry | Fisher Phillips<\/a><\/p>\n<p><a href=\"https:\/\/www.jdsupra.com\/legalnews\/silicon-valley-snapshot-on-looming-4952393\/\">https:\/\/www.jdsupra.com\/legalnews\/silicon-valley-snapshot-on-looming-4952393\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-12 16:58:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.jdsupra.com\">www.jdsupra.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n<p>Many tech companies will soon need to comply with new cybersecurity reporting obligations as federal officials close in on finalizing a proposed rule that will carry out core goals of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). These sweeping new requirements will create a significant compliance burden for Silicon Valley businesses and across the information technology sector. This snapshot will provide a quick recap of what this is all about and offer five key takeaways for your industry.<\/p>\n<p>Quick Background<\/p>\n<p>CIRCIA was enacted in 2022 as the federal government\u2019s first comprehensive, cross-sector approach to mandatory cyber incident reporting. As required by the law, the Cybersecurity and Infrastructure Security Agency (CISA) issued a proposed rule in 2024 to implement covered cyber incident and ransom payment reporting requirements for covered entities.<\/p>\n<p>While CISA had aimed to finalize the rule by May 2026, lapses in federal appropriations forced the agency to postpone a CIRCIA town hall meeting series, and the agency will issue a final rule only after these town hall meetings take place.<\/p>\n<p>Overview of CIRCIA Reporting Requirements<\/p>\n<p>Once the CIRCIA regulation is finalized, covered entities will be required to report substantial cyber incidents, ransomware payments, and supplemental information to CISA and comply with record preservation obligations. All CIRCIA reports will need to meet strict rules regarding timing, content, manner, and format. CISA will have a variety of powerful mechanisms to enforce this new cyber reporting framework \u2013 which will largely operate in addition to any other state or federal reporting obligations applicable to your business.<\/p>\n<p>Top 5 Takeaways for Silicon Valley and the Tech Industry<\/p>\n<p>1. Information Technology Treated as a Critical Infrastructure Sector<\/p>\n<p>The proposed CIRCIA rule applies to any entity in a critical infrastructure sector that meets certain size-based or sector-based criteria (as discussed further below). Information technology is one of the 16 critical infrastructures explicitly listed, and the rule\u2019s definition of \u201ccovered entity\u201d is so broad that \u201ccompanies that do not actually constitute critical infrastructure may be swept into the reporting requirement,\u201d according to a public comment submitted by the Information Technology Industry Council (ITI) in 2024.<\/p>\n<p>The ITI urged CISA to, among other things, narrow the scope of covered entities \u201cbased on a criticality assessment that is tied to economic or national security\u201d and to limit coverage to only a company\u2019s offerings that constitute critical infrastructure.<\/p>\n<p>2. Even Smaller Tech Businesses and Startups May Be Covered <\/p>\n<p>If your business is in a critical infrastructure sector (such as IT), it is a covered entity under the proposed rule so long as it exceeds the small business threshold or meets certain sector-based criteria. Many major technology companies will likely satisfy both coverage tests \u2013 but meeting just one of them is enough to be covered.<\/p>\n<p>Size-Based Criteria<\/p>\n<p>Your business will be a covered entity if it exceeds the small business size standard applicable to your industry as designated by the North American Industry Classification System (NAICS). These thresholds can be based on number of employees or annual revenue, depending on the industry.<\/p>\n<p>Size-Based Criteria<\/p>\n<p>Your business will be a covered entity if it exceeds the small business size standard applicable to your industry as designated by the North American Industry Classification System (NAICS). These thresholds can be based on number of employees or annual revenue, depending on the industry.<\/p>\n<p>3. Reportable Cyber Incidents Are Defined Broadly<\/p>\n<p>The proposed rule requires covered entities to report cyber incidents that lead to any of the following:<\/p>\n<p>\tsubstantial loss of confidentiality, integrity, or availability of your information systems or networks;<br \/>\n\ta serious impact on the safety and resiliency of your operational systems and processes;<br \/>\n\ta disruption of your ability to engage in business or industrial operations, or deliver goods and services; or<br \/>\n\tunauthorized access to your information system or network (or any nonpublic information contained in it) caused by either (1) a compromise of a cloud service provider, managed service provider, or other third-party hosting provider, or (2) a cyber incident within the supply chain of an information system that an adversary \u201ccan\u201d or does leverage for specific purposes.<\/p>\n<p>In the ITI\u2019s 2024 public comment, it expressed several concerns over the breadth of cyber incidents that could trigger reporting obligations under the proposed rule, as well as confusion over \u201cwhere in the supply chain reporting responsibilities fall.\u201d For example, ITI said that the last bullet point above \u201cseems to indicate that unauthorized access without actual disruption anywhere in the supply chain\u201d would be a reportable cyber incident.<\/p>\n<p>4. The Reporting Timelines Are Very Aggressive <\/p>\n<p>Once the regulations take effect, covered entities will be required to submit CIRCIA reports to CISA for:<\/p>\n<p>\tcovered cyber incidents within 72 hours of reasonably believing one has occurred; and<br \/>\n\transomware payments within 24 hours of making them (even if the ransomware attack underlying the ransom payment is not a covered cyber incident).<\/p>\n<p>Note that the reporting clock starts before an investigation is complete, requiring companies to report to the federal government while investigations are still unfolding. And companies will be required to continue filing supplemental reports each time significant new or different information emerges from an initial report, or when a correction is needed, until the company \u201cnotifies CISA that the covered cyber incident at issue has concluded and has been fully mitigated and resolved.\u201d<\/p>\n<p>5. Don\u2019t Wait for the Rule to Be Finalized to Start Preparing<\/p>\n<p>Even if finalization of the proposed CIRCIA rule appears to be stuck in a holding pattern due to recent federal appropriations disruptions, businesses that wait for the ink to dry before preparing will be behind. Check out our FAQs for Businesses About CIRCIA Regulations for more details about the rule and specific steps you should consider taking now to put your business in a strong position by the time the rule kicks in.<\/p>\n<p>You should also look out for CISA to release new dates for the town hall series (including one focused on the Defense Industrial Base Sector and the Information Technology Sector), as the purpose of these meetings is to allow the agency to solicit input from stakeholders on \u201crefining the scope and burden\u201d of the proposed CIRCIA rule.<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Silicon Valley Snapshot on Looming Cybersecurity Reporting Rules: Top CIRCIA Takeaways for the Tech Industry&#8230;<\/p>\n","protected":false},"author":1,"featured_media":212877,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/jdsupra-static.s3.amazonaws.com\/profile-images\/og.7295_415.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24],"class_list":["post-212876","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/212876"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=212876"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/212876\/revisions"}],"predecessor-version":[{"id":212879,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/212876\/revisions\/212879"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/212877"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=212876"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=212876"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=212876"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}