Incident Reporting Regulations Summary and Chart

Last updated at Fri, 26 Aug 2022 13:31:26 GMT

A growing number of regulations require organizations to report significant cybersecurity incidents. We've created a chart that summarizes 11 proposed and current cyber incident reporting regulations and breaks down their common elements, such as who must report, what cyber incidents must be reported, the deadline for reporting, and more.

This chart is intended as an educational tool to enhance the security community’s awareness of upcoming public policy actions, and provide a big picture look at how the incident reporting regulatory environment is unfolding. Please note, this chart is not comprehensive (there are even more incident reporting regulations out there!) and is only current as of August 8, 2022. Many of the regulations are subject to change.

This summary is for educational purposes only and nothing in this summary is intended as, or constitutes, legal advice.

Peter Woolverton led the research and initial drafting of this chart.

Additional reading:

• Avoiding Smash and Grab Under the SEC’s Proposed Cyber Rule
• Navigating the Evolving Patchwork of Incident Reporting Requirements
• New US Law to Require Cyber Incident Reports
• How Ransomware Is Changing US Federal Policy