January 18, 2022

US Government Seeks Mandatory Cyber & Ransomware Reporting Requirements

You've Reached Your
Free Article Limit This Month
Subscribe now to get unlimited access to all OnPractice content. Your subscription is free.
Subscribe Now

Key Takeaways

  • Congress and the Biden administration are joining forces to develop legislation that would require entities to report certain cyber incidents to the federal government.

In the wake of recent high-profile cyber and ransomware attacks, Congress and the Biden administration have joined forces, in an increasingly rare show of bipartisanship, to drive policy changes that would require many entities to report certain cyber incidents to the federal government. Importantly, the legislation would give entities 72-hours to report a cyber incident. This is especially notable given all the media attention calling for a 24-hour notification requirement.

Estimates suggest that at least 85% of the nation's non-defense, critical infrastructure is owned by the private sector. To date, the federal government has had limited authority over civilian cyber matters, and in some areas (e.g., ransomware) an even more limited understanding of the nature of the threat. Bad actors can range from the lone wolf, to sophisticated criminal and terrorist networks, to nation states intent on doing harm. Cyber threat actors are constantly evolving new tactics and technologies that take advantage of our interconnectedness, and the risks are increasing exponentially. Forbes reports that the more than 35 billion connected smart devices could rise to more than 75 billion by 2025.

The U.S. Federal Reserve has identified cybersecurity as one the top risks to our national economic security. The escalating number and severity of attacks has created enough political pressure on both sides of the aisle that Congress and the Administration are seeking to expand the authority of the federal government.

Top Democrats and Republicans on the Homeland Security committees in the House and Senate spent much of 2021 working in consultation with industry experts and other stakeholders to craft legislation. While the proposals vary slightly, House and Senate leaders are in the process of negotiating a compromise, which they plan to attach to "must pass" legislation in 2022, such as government funding bills

These proposals, commonly referred to as the Cyber Incident Reporting Act (CIRA), would expand authorities granted to the Cybersecurity and Infrastructure Agency (CISA) at the US Department of Homeland Security (DHS) to oversee, analyze and disseminate information about cyber-attacks against US entities. Both bills would also require certain entities to report ‘covered cyber incidents.'

The House and Senate versions of CIRA include several similar proposals, which are expected to be maintained in some form as the final details are negotiated:

1. Mandatory reporting of certain covered cyber incidents to DHS CISA.
2. Empower DHS CISA to define "covered entities" subject to reporting requirements and set minimum thresholds defining a "cyber incident."
3. A 72-hour reporting timeline to DHS CISA after the cyber incident has occurred.
4. Non-covered entities may voluntarily report cyber incidents.
5. Limited liability coverage.
6. Empower DHS CISA to issue subpoenas.
7. Establish penalties for non-compliance, including civil action.
8. Establish the timeline for DHS CISA to implement the new CIR program.

There are additional CIRA provisions that House and Senate negotiators are considering, but their inclusion is less certain. These proposals could:

- Require entities paying ransomware demands to file a report with DHS CISA within 24-hours of payment.
- Exempt certain small businesses, non-profits, and religious organizations.
- Exempt "white hat" hackers, government entities and other third-parties retained by the primary entity to discover system vulnerabilities.
- Determine the scope and limitations on use and sharing of incident reports with other federal agencies, departments, etc.
- Harmonize cyber reporting requirements, especially for entities already subject to federal, sector-specific cyber incident reporting regulations, rules and requirements.

As the process moves forward, the Buchanan Ingersoll & Rooney team is prepared to discuss how best to influence both the legislative and regulatory rulemaking processes as well as the implications new cyber incident reporting requirements will have on your entity and its strategic goals.

The federal government's intense focus on and response to growing cyber threats provides our clients with the opportunity to position their needs and interests as new laws and regulations are developed and implemented. Given the speed with which these laws, rules, requirements and penalties are drafted, there will certainly be unintended consequences impacting all of our clients.

In addition to the new CIRA requirements, the Buchanan Federal Government Relations (FGR) team anticipates additional congressional action because there is bipartisan support for the federal government to oversee the cybersecurity of our nations' critical economic and physical infrastructure. Buchanan's FGR team stands uniquely positioned to counsel our firm's clients on the latest developments as Congress, DHS CISA and other sector regulators expand their authority, rules, oversight and penalties in the cyber space.

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Buchanan Ingersoll & Rooney

Delaware to Mandate Paid Family Leave Starting in 2026: 5 Steps to Help Employers Prepare for the Transition

By Michael E. Truncellito Buchanan Ingersoll & Rooney May 17 , 2022

Delaware has become the 11th state to guarantee paid parental, medical, and military leave for private-sector workers.

Are the Section 301 Duties on China Going Away? Recent Statements by the Biden Administration

By Daniel B. Pickard Buchanan Ingersoll & Rooney May 03 , 2022

Recent statements by Biden administration officials have raised the question of whether the Trump-era tariffs imposed on goods imported from China will be terminated or allowed to expire.

Florida "Individual Freedom Act" Makes Certain Employee Trainings Discriminatory

By Cathy Beveridge Buchanan Ingersoll & Rooney April 27 , 2022

Employers across the country are taking note of Governor Ron DeSantis’ latest piece of legislation which will have nationwide impacts. On April 22, 2022, Governor DeSantis signed into law the “Individual Freedom Act,” which amends the Florida Civil Rights Act and is scheduled to take effect on July 1, 2022.

More From Cybersecurity

Fifth Circuit Decision Could Undermine Constitutionality of HHS Civil Money Penalty Laws

By Robert P. Charrow Greenberg Traurig May 20 , 2022

On May 18, 2022, the U.S. Court of Appeals for the Fifth Circuit issued its decision in Jarkesy v. Securities and Exchange Comm’n, in which it examined the constitutionality of an agency civil money penalty enforcement proceeding.

UPDATE: FEC Candidate Loan Repayment Limitation Ruled Unconstitutional in Supreme Court Decision

By Katherine N. Reynolds Dickinson Wright PLLC May 18 , 2022

On May 16, 2022, the United States Supreme Court ruled that limiting the repayment of candidate loans to their own campaign to $250,000 (codified under 52 U.S.C. § 30116(j)) is unconstitutional. The Plaintiffs, Ted Cruz for Senate and Senator Ted Cruz, filed suit against the Federal Election Commission (“FEC”), stating that the repayment limitation unconstitutionally infringes the First Amendment rights of the Senator, the Campaign, and any individuals who might seek to make post-election contributions.

Modernization of Manufacturers: Safety and Cybersecurity Issues

By Jason C. Gavejian Jackson Lewis P.C. May 11 , 2022

Like many other industries, manufacturing has been hit hard with labor shortages. As of April 2022, U.S. factory activity reportedly is at its slowest pace in more than 18 months. Consequently, many factories seek more agility from artificial intelligence and other automated processes to better manage disruptions and uncertainty. With these modernizations comes the threat of potential safety and health hazards and cyber threats.

Featured Stories