Congress passes 72-hour cyberattack reporting requirement

A bill that would require banks to report substantial cyber incidents and ransom payments to the federal government passed through Congress this week and now heads to President Biden’s desk.

The House passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 as part of its omnibus spending package on Wednesday, and the Senate passed the legislation the next day. The Senate had expressed unanimous support for the reporting requirements and two related measures last week.

Critical infrastructure providers across 16 sectors, including financial services and information technology, must meet the same requirements, covering both banks and their tech vendors. Each cyber incident would have to be reported within 72 hours of a determination that it was significant and payments made to ransomware attackers would have to be reported within 24 hours.

Many details beyond those two are yet undetermined. The Cybersecurity and Infrastructure Security Agency would create and execute a rulemaking process that fills in specifics of the law over three and a half years.

Once the rules go into place, if a company fails to meet the reporting requirements the law would allow the director of the cybersecurity agency to issue a subpoena to compel the company to report.

The legislation has a wide base of support, including among some tech vendors. Tim Erlin, vice president of strategy at the cybersecurity firm Tripwire, said the “net result” of the legislation would be positive, but incident reports would constitute only the first step in “a chain of actions” organizations will need to take to improve their cybersecurity.

“Right now, legislative and regulatory activity seems to be focused on gathering more and better information about attacks, but we should be careful not to ignore the value of preventive controls,” Erlin said.