TheCorporateCounsel.net

While much attention was focused on the SEC’s proposed cybersecurity disclosure rules that were approved last week, Congress has also weighed in with legislation establishing new cybersecurity reporting requirements for private sector companies that was signed into law this week.

The latest $1.5 trillion government spending bill included new requirements for critical infrastructure entities to report cyber incidents. The legislation: (i) requires critical infrastructure entities to report cyber incidents to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours; and (ii) requires critical infrastructure entities to report ransom payments in response to ransomware attacks within 24 hours, also to CISA. These changes represent a significant expansion in the federal requirements for private sector reporting of cyber incidents. What constitutes “critical infrastructure” will be defined in CISA regulations, but will include areas such as energy, financial services, food and agriculture, healthcare, information technology, defense industrial base, among others.

– Dave Lynn