On Tuesday, March 15, President Joe Biden signed into law a $1.5 trillion government funding bill that included new legislation mandating critical infrastructure owners and operators to report a substantial cyber-attack and any ransomware payment to the Cybersecurity and Infrastructure Agency (CISA).
The provision, co-authored by U.S. Senators Gary Peters and Rob Portman, is a part of the federal government’s efforts to combat potential cyber-attacks from foreign adversaries, including potential threats from the Russian government in retaliation for the United States’ ongoing assistance to Ukraine.
Entities Affected
The “critical infrastructure sectors” affected by the new requirements include financial services, food and agriculture, healthcare and public health, energy, and communications.
Financial services providers will recognize some of the language used in this new legislation. It is similar to the FDIC, OCC, and Federal Reserve’s new rule going into effect next week on April 1, 2022, setting new notification requirements for banks and their third-party service providers in the event of a “computer-security incident.” Note that the Peters and Portman legislation will be creating a new requirement to report to CISA in addition to the FDIC/OCC/Federal Reserve – unless the final rule contains an exemption for entities already required to report incidents to other federal regulators.
Reporting Requirements
The new legislation seeks to mitigate these risks by requiring entities in a “critical infrastructure sector” to report a “substantial cyber-attack” to CISA within 72 hours after the entity reasonably believes that a covered cyber incident has occurred, and within 24 hours after making a ransomware payment. Failure to make such a report in a timely manner may lead to a referral by CISA to the Department of Justice.
“Substantial cyber-attacks” include the occurrence of a “substantial loss of confidentiality, integrity, or availability” of an information system or network, serious impacts on the resiliency of operational systems, or disruptions in business or industrial operations due to a cyber-attack.
Over the next 24 months, federal regulators will be working to draft a final rule for implementation of the Peters and Portman cyber-attack reporting legislation. The rulemaking process will provide additional clarity for industry and business leaders, which will enable critical infrastructure providers to stay ahead of any compliance issues that may arise as a result of the new reporting requirements.
Our Privacy, Cybersecurity, and Data Management team will continue to monitor the latest regulatory and legislative developments in the areas of cybersecurity and data protection.