A bill that would require banks to report substantial cyber incidents and ransom payments to the federal government passed through Congress this week and now heads to President Biden’s desk.
The House
Critical infrastructure providers across
Many details beyond those two are yet undetermined. The Cybersecurity and Infrastructure Security Agency would create and execute a rulemaking process that fills in specifics of the law over three and a half years.
Once the rules go into place, if a company fails to meet the reporting requirements the law would allow the director of the cybersecurity agency to issue a subpoena to compel the company to report.
The legislation has a wide base of support, including among some tech vendors. Tim Erlin, vice president of strategy at the cybersecurity firm Tripwire, said the “net result” of the legislation would be positive, but incident reports would constitute only the first step in “a chain of actions” organizations will need to take to improve their cybersecurity.
“Right now, legislative and regulatory activity seems to be focused on gathering more and better information about attacks, but we should be careful not to ignore the value of preventive controls,” Erlin said.