The Cybersecurity and Infrastructure Security Agency plans to issue a final rule that would require companies to report cyber incidents and ransom payments to the agency by September. The rule, which would require critical infrastructure entities to promptly report substantial cybersecurity incidents to CISA, has come under attack from industry groups and private sector representatives saying it was too broad and would create overlapping reporting requirements.