Cyber regulations are crucial for the protection of individuals and businesses and aid in risk minimization; failure to comply with these regulations can result in severe consequences such as financial penalties, legal action, reputational damage, and potential breach of sensitive or confidential information. Analysts have identified some key cyber regulations to watch in the coming months.
One key regulation to monitor is a proposed rule under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). This rule would create mandatory reporting guidelines for cyber incidents. Covered entities would be required to report to the Cybersecurity and Infrastructure Security Agency (CISA) any substantial cyber incidents within 72 hours and ransomware payments within 24 hours.
As of now, CISA encourages entities to voluntarily share information, but entities will not be required to report cyber incidents until the CIRCIA final rule goes into effect. It is estimated that more than 300,000 entities will be covered by CIRCIA and obligated to comply with these reporting requirements. This rule is likely to be finalized in 2025 and take effect in 2026, thus increasing the urgency for companies to plan and ensure compliance.
Another regulation to watch is the proposed rule from the US Department of Health and Human Services on the Health Insurance Portability and Accountability Act (HIPAA). These updates were released in January 2025 in response to the significant increase in cyberattacks in the healthcare sector and provide cybersecurity standards for protecting certain healthcare data.
Importantly, these proposed HIPAA updates protect electronic protected health information (ePHI), which includes electronic data related to an individual’s health condition, treatment for the condition, or payment. Under the proposal, covered entities must assess their outstanding security risks and put in place adequate safeguards to comply.
Finally, analysts have suggested continuing to follow the US Securities and Exchange Commission’s 2023 cybersecurity risk management requirements despite anticipated challenges to its legality. These rules require public companies to disclose any material cybersecurity incidents and disclose their cyber risk management plans in their annual reports. While reporting under this rule has been required for public companies since 2024, the rule has been subject to criticism at hearings in the US House of Representatives. At present it is unclear if the rule will change, but it will be prudent to monitor any changes in this area.
These impending changes to the cyber regulations would create new challenges for businesses. Now is the time to begin monitoring the rules and considering what additional compliance measures may be required in the near future.
Summer associate Danielle Genovese contributed to this post.