Unsplash

Private U.S. Firms May Soon Need to Report Hacks and Ransomware Payments

The Senate on 2nd March 2022 passed a cybersecurity package that would require companies to report any damaging hacks and ransomware payments to the government, bringing closer to reality rules the US government sees as key to protecting critical infrastructure. Passed by unanimous consent, the legislation now heads to the House.

The Strengthening American Cybersecurity Act comprises three bills intended to bolster public and private sector security, including modernizing federal agencies’ cyber posture and updating how they can adopt cloud-based technologies. Covered firms would have to report breaches to the Cybersecurity and Infrastructure Security Agency within 72 hours of the breach, as well as ransomware payments within 24 hours of payment.

There have been sector-specific regulations requiring many pipeline and rail operators to report hacks since a ransomware attack on Colonial Pipeline Co. disrupted the East Coast’s largest fuel conduit last year.

The legislation passed would expand such rules for many companies across 16 designated critical infrastructure sectors, like energy or financial services. The officials plan to analyze and disseminate data about cyberattacks among federal agencies and private-sector firms to prevent similar incidents elsewhere.

While the bill provides some guidance on which companies would be covered by the rule, CISA would decide specifics in a formal rule-making process. They would also choose which type of incidents companies have to report, along with the information they would have to share.

The legislation would give CISA two years after enactment of the law to propose rules and an additional 18 months to complete them. Businesses would have liability protections for information they share and would face no fines for not complying.

Source: