Congress Passes Mandatory Cyber Incident Reporting Bill -- 72 Hours for Critical Infrastructure

As part of the government funding bill passed in early March, Congress would require critical infrastructure companies to report cyber incidents to CISA, the federal cyber watchdog, within 72 hours. The bill as passed would also require reporting within 24 hours of ransomware payments by covered industries. The bill has not yet been signed by the president.  

Critical infrastructure covers sixteen industries deemed critical to national security, such as the power grid, financial services, agriculture, and banking. (The categories used by CISA were invoked by many states in early 2020 to distinguish which workers and industries were exempt from workplace shutdowns imposed by the pandemic.)

Why it Matters

Several arms of the government are pushing to increase transparency and discussion about cyber attacks on American business; the SEC has drafted reporting rules that would require publicly traded companies (in all sectors) to disclose certain cyber incidents to investors.  CISA has long had relationships with the nation's critical infrastructure industries, and there has been public/private cooperation among them on many cyber incidents under the legislation that established CISA and created certain safe harbors for companies to share threat intelligence. With the specter of Russian cyber attack at the forefront of many experts' minds thanks to the events in Ukraine, it is likely we will see more efforts to force disclosure of events in future. Over time, such transparency rules for regulated companies are likely to serve as models of best practices even for non-regulated companies in some circumstances.