On March 15, President Joe Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act. This Act mandates that private sector entities must inform the Cybersecurity and Infrastructure Security Agency (CISA) after suffering a data breach or make a ransom payment. The house passed the bipartisan legislation after failing to pass similar legislation in recent years, amid the growing concerns of retaliatory cyberattacks relating to Russia’s invasion of Ukraine.
The newly passed Act creates two new reporting mandates for business owners and operators of critical infrastructure:
- Report certain cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security (DHS) within 72 hours.
- The obligation to report ransomware payments within 24 hours.
Now that new cyber policies are in place, businesses are advised to modify their cybersecurity defense tools, re-evaluate their internal policies to ensure their procedures reflect the Act’s requirements.
To learn more about how this may affect your business, read more of Law360’s article regarding the new Cybersecurity Incident Reporting for Critical Infrastructure Act here.