On April 22, 2024 from 11:00 am – 12:00 pm (EDT), Luke Dembosky, Erez Liebermann, HJ Brehmer, and Stephanie Thomas from our Data Strategy and Security Group will host the next installment of our Data Security Webcast, where we will delve into the Cybersecurity and Infrastructure Security Agency (“CISA”) notice of proposed rulemaking (“Proposed Rule”) for reporting requirements for critical infrastructure entities that experience covered cybersecurity incidents developed pursuant to the Cyber Incident Reporting for Critical Infrastructure Act (“CIRCIA”). For more information about the Proposed Rule, see our recent Debevoise Data Blog post.

During the webcast, we will walk through the components of the Proposed Rule in detail and discuss:

  • How we got here. CIRCIA was enacted to provide the federal government with greater visibility over cybersecurity threats affecting the nation’s critical infrastructure and to facilitate deployment of resources to efficiently respond to such attacks. CIRCIA required CISA to promulgate a proposed regulation (the subject of this webinar) within 24 months, and a Final Rule within 18 months of the publication of the Proposed Rule. The Proposed Rule builds upon industry feedback the Department of Homeland Security solicited following CIRCIA’s passage in March 2022.
  • An overview of the Proposed Rule. The Proposed Rule, which CISA estimates will affect over 300,000 entities, introduces reporting requirements that will impact all critical infrastructure sectors, featuring highly detailed reporting duties that necessarily will require covered entities to maintain asset inventories, along with subpoena power and criminal enforcement authority. We will discuss the Proposed Rule’s coverage, reporting requirements, and enforcement mechanisms in detail.
  • What companies should do. First and foremost, organizations will need to determine whether they fall within the Proposed Rule’s ambit.  Once that determination is made, we recommend taking several preliminary steps to ensure compliance when the Proposed Rule is finalized, which include conducting gap assessments, considering law enforcement reporting positions, and developing notification frameworks.
  • Next steps for the Proposed Rule. The Proposed Rule’s comment period is open until Monday, June 3, 2024.

To register for the Webcast, please click here.

If you are unable to join via Webcast, please click here to register to receive the recording only.

To see our previous blog posts about CISA, please click here.

To see our previous webcasts, please click here.

To subscribe to our Data Blog, please click here.

The cover art used in this blog post was generated by DALL-E.


Luke Dembosky is a Debevoise litigation partner based in the firm’s Washington, D.C. office. He is Co-Chair of the firm’s Data Strategy & Security practice and a member of the White Collar & Regulatory Defense Group. His practice focuses on cybersecurity incident preparation and response, internal investigations, civil litigation and regulatory defense, as well as national security issues. He can be reached at ldembosky@debevoise.com.


Erez is a litigation partner and a member of the Debevoise Data Strategy & Security Group. His practice focuses on advising major businesses on a wide range of complex, high-impact cyber-incident response matters and on data-related regulatory requirements. Erez can be reached at eliebermann@debevoise.com


H Jacqueline Brehmer is a Debevoise litigation associate and a member of the Data Strategy & Security Practice Group. She can be reached at hjbrehmer@debevoise.com.


Stephanie D. Thomas is an associate in the Litigation Department and a member of the firm’s Data Strategy & Security Group and the White Collar & Regulatory Defense Group. She can be reached at sdthomas@debevoise.com.