U.S. Senators Introduce Bipartisan Bill on Reporting Critical Infrastructure Cyber Incidents and Ransomware Payments

On September 28, 2021, Senators Gary Peters (D-MI) and Rob Portman (R-OH), Chairman and Rating Member of the Homeland Safety and Authorities Affairs Committee, respectively, introduced a bipartisan bill (the “Bill”) that might require house owners and operators of vital infrastructure to inform the Director of the Cybersecurity and Infrastructure Safety Company (“CISA”) inside 72 hours of getting an inexpensive perception {that a} coated cyber incident has occurred. Moreover, the Bill would require most entities (together with companies with 50 or extra workers) that make ransom funds following ransomware assaults to report these funds to the CISA inside 24 hours of cost. Notably, any entity required to submit a ransom cost report would first be required to conduct a due diligence overview of options to paying ransom, together with an evaluation of whether or not restoration from the ransomware assault is feasible by means of different means, earlier than making such a ransom cost. Critical infrastructure house owners and operators additionally could be required to supply supplemental stories to the CISA in mild of recent or completely different info changing into out there. All entities topic to those necessities would face knowledge preservation obligations.

The Director of the CISA, in session with the heads of different federal businesses, could be charged with promulgating guidelines to implement these reporting and knowledge preservation necessities. As well as, the Bill would set up throughout the CISA a brand new Cyber Incident Evaluation Workplace (the “Office”) to obtain and analyze stories associated to coated cyber incidents, in addition to facilitate the voluntary sharing of menace, vulnerability, and mitigation info between vital infrastructure house owners and operators. The invoice additionally would require the CISA to develop a ransomware vulnerability warning pilot program that might leverage current authorities and know-how to establish vulnerabilities related to frequent ransomware assaults and notify related info system house owners.

The Bill would grant the CISA Director the authority to concern subpoenas towards any entity that fails to adjust to its reporting necessities underneath the Bill. Entities that fail to adjust to subpoenas could be topic to referral to the Division of Justice for civil enforcement. Federal contractors that fail to adjust to subpoenas could be topic to further penalties from the Normal Companies Administration, together with suspensions or bars from contracting with the federal authorities.

The Director of the CISA, Jen Easterly, reportedly helps laws requiring reporting cyber incidents to the CISA, although favors fines as an enforcement mechanism past subpoena authority, stating, “I know some of the language talks about subpoena authority. My personal view is, that is not an agile enough mechanism to allow us to get the information that we need to share as rapidly as possible to prevent other potential victims from threat actors, so I think we should look at fines.”

For extra info, learn the Bill here.

We beforehand reported on a separate bipartisan invoice launched on July 21, 2021, which might require federal authorities businesses, federal contractors, and operators of vital infrastructure to inform the CISA inside 24 hours of “confirmation” of a cybersecurity incident.

Source link