Bipartisan Support For Mandatory Cyber Incident Reporting

Democratic and Republican leaders of the Senate Homeland Security and Governmental Affairs Committee have introduced legislation that would give set timelines for cyber incident reporting. Organizations including critical infrastructure groups, nonprofits, businesses with more than 50 employees, and state and local governments would have 24 hours to report if they paid a ransomware demand. Owners of critical infrastructure would be required to report incidents to the Cybersecurity and Infrastructure Security Agency within 72 hours. CISA would have the power to subpoena groups that fail to report. Organizations that don’t comply could be referred to the Justice Department, and potentially banned from doing business with the federal government. The House has approved a version of the National Defense Authorization Act that would ban CISA from requiring organizations to report cyber incidents earlier than 72 hours after they occurred.