January 18, 2022

US Government Seeks Mandatory Cyber & Ransomware Reporting Requirements

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all OnPractice content.
Register Now

Key Takeaways

  • Congress and the Biden administration are joining forces to develop legislation that would require entities to report certain cyber incidents to the federal government.

In the wake of recent high-profile cyber and ransomware attacks, Congress and the Biden administration have joined forces, in an increasingly rare show of bipartisanship, to drive policy changes that would require many entities to report certain cyber incidents to the federal government. Importantly, the legislation would give entities 72-hours to report a cyber incident. This is especially notable given all the media attention calling for a 24-hour notification requirement.

Estimates suggest that at least 85% of the nation's non-defense, critical infrastructure is owned by the private sector. To date, the federal government has had limited authority over civilian cyber matters, and in some areas (e.g., ransomware) an even more limited understanding of the nature of the threat. Bad actors can range from the lone wolf, to sophisticated criminal and terrorist networks, to nation states intent on doing harm. Cyber threat actors are constantly evolving new tactics and technologies that take advantage of our interconnectedness, and the risks are increasing exponentially. Forbes reports that the more than 35 billion connected smart devices could rise to more than 75 billion by 2025.

The U.S. Federal Reserve has identified cybersecurity as one the top risks to our national economic security. The escalating number and severity of attacks has created enough political pressure on both sides of the aisle that Congress and the Administration are seeking to expand the authority of the federal government.

Top Democrats and Republicans on the Homeland Security committees in the House and Senate spent much of 2021 working in consultation with industry experts and other stakeholders to craft legislation. While the proposals vary slightly, House and Senate leaders are in the process of negotiating a compromise, which they plan to attach to "must pass" legislation in 2022, such as government funding bills

These proposals, commonly referred to as the Cyber Incident Reporting Act (CIRA), would expand authorities granted to the Cybersecurity and Infrastructure Agency (CISA) at the US Department of Homeland Security (DHS) to oversee, analyze and disseminate information about cyber-attacks against US entities. Both bills would also require certain entities to report ‘covered cyber incidents.'

The House and Senate versions of CIRA include several similar proposals, which are expected to be maintained in some form as the final details are negotiated:

1. Mandatory reporting of certain covered cyber incidents to DHS CISA.
2. Empower DHS CISA to define "covered entities" subject to reporting requirements and set minimum thresholds defining a "cyber incident."
3. A 72-hour reporting timeline to DHS CISA after the cyber incident has occurred.
4. Non-covered entities may voluntarily report cyber incidents.
5. Limited liability coverage.
6. Empower DHS CISA to issue subpoenas.
7. Establish penalties for non-compliance, including civil action.
8. Establish the timeline for DHS CISA to implement the new CIR program.

There are additional CIRA provisions that House and Senate negotiators are considering, but their inclusion is less certain. These proposals could:

- Require entities paying ransomware demands to file a report with DHS CISA within 24-hours of payment.
- Exempt certain small businesses, non-profits, and religious organizations.
- Exempt "white hat" hackers, government entities and other third-parties retained by the primary entity to discover system vulnerabilities.
- Determine the scope and limitations on use and sharing of incident reports with other federal agencies, departments, etc.
- Harmonize cyber reporting requirements, especially for entities already subject to federal, sector-specific cyber incident reporting regulations, rules and requirements.

As the process moves forward, the Buchanan Ingersoll & Rooney team is prepared to discuss how best to influence both the legislative and regulatory rulemaking processes as well as the implications new cyber incident reporting requirements will have on your entity and its strategic goals.

The federal government's intense focus on and response to growing cyber threats provides our clients with the opportunity to position their needs and interests as new laws and regulations are developed and implemented. Given the speed with which these laws, rules, requirements and penalties are drafted, there will certainly be unintended consequences impacting all of our clients.

In addition to the new CIRA requirements, the Buchanan Federal Government Relations (FGR) team anticipates additional congressional action because there is bipartisan support for the federal government to oversee the cybersecurity of our nations' critical economic and physical infrastructure. Buchanan's FGR team stands uniquely positioned to counsel our firm's clients on the latest developments as Congress, DHS CISA and other sector regulators expand their authority, rules, oversight and penalties in the cyber space.

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Buchanan Ingersoll & Rooney

Ninth Circuit Refuses to Boot FLSA Claims: Time Spent Logging On is Compensable

By Christian Antkowiak Buchanan Ingersoll & Rooney November 10 , 2022

Is an employer obligated to pay employees for the time spent booting up and signing into their computers prior to clocking in?

Protecting Your Brand - Amazon's Brand Registry Program

By Bassam N. Ibrahim Buchanan Ingersoll & Rooney November 09 , 2022

Trademarks are a useful tool for brand protection.

SEC Adopts Final Incentive Compensation Clawback Rules

By Jennifer R. Minter Buchanan Ingersoll & Rooney November 04 , 2022

On October 26, 2022, the Securities and Exchange Commission (SEC) adopted final rules that will require listed companies to disclose and implement policies to “claw back” or recover incentive compensation paid as a result of erroneously reported financial information that is subject to a required accounting restatement.

More From Cybersecurity

Regulating Cybersecurity across the EU and the UK

By Romain Perray McDermott Will & Emery January 12 , 2023

On November 28, 2022, the Council of the European Union formally adopted the Network and Information Security 2 Directive (NIS 2 Directive), replacing the current NIS Directive (Directive 2016/1148/EC).

NYDFS Proposes Significant Changes to Its Cybersecurity Regulation

By Timothy A. Butler Greenberg Traurig January 06 , 2023

On Nov. 9, 2022, the New York Department of Financial Services (NYDFS) issued a proposed second amendment to its 2017 cybersecurity regulation for financial service companies.

FTC Delays Compliance Date of the Safeguards Rule

By Timothy A. Butler Greenberg Traurig January 05 , 2023

On Nov. 15, 2022, the Federal Trade Commission (FTC) announced that it is delaying the effective date of its recent amendments to the Safeguards Rule, promulgated under the Gramm-Leach-Bliley Act (GLBA).

Featured Stories