Senate passes major cybersecurity bill requiring reporting of cyber incidents – Technology


United States: Senate Passes Major Cybersecurity Bill Requires Reporting of Cyber ​​Incidents

To print this article, all you need to do is be registered or log in to Mondaq.com.

The Strengthening American Cybersecurity Act of 2022, a bill that narrowly failed to become law last year, passed the Senate on Tuesday, March 1 as a set of cybersecurity measures that would require infrastructure operators critics and federal civilian agencies to report cyber incidents. at the Cybersecurity and Infrastructure Agency (CISA) of the Department of Homeland Security. With bipartisan support, the bill was backed by Sen. Gary Peters (D-Mich.) and Sen. Rob Portman (R-Ohio). It is the most significant cybersecurity bill to pass the Senate in the history of the chamber, and if passed, it would be the first major cybersecurity legislation to pass since the 2015 law. on Cybersecurity Information Sharing, which gave companies legal cover to voluntarily share information about cyber threats with the government. The Strengthening American Cybersecurity Act of 2022 includes reporting of cyber incidents by critical infrastructure entities and federal agencies, establishes stricter cybersecurity requirements for federal agencies, and ensures that federal agencies migrate to cloud-based networks, among other provisions setting out the roles and responsibilities of the CISA.

Title II of the bill includes reporting requirements for critical infrastructure, or “covered entities,” that would be defined by subsequent regulations. Reports required in the invoice for owners and operators of critical infrastructure include notification to CISA within 72 hours of experiencing any covered “cyber incident” and within 24 hours of paying a ransom to the following a ransomware attack. A cyber incident is defined as any event which effectively jeopardizes, without legitimate authorization, the integrity, confidentiality or availability of information on an information system, or which effectively jeopardizes, without legitimate authorization, a ‘information. Reports to the FBI are notably not included in the bill, however, the bill provides a mechanism for CISA to share information with other agencies.

Although the details are also subject to further regulation by the CISA, the bill establishes certain minimum requirements for the content of all reports. The content of a Cyber ​​Incident Report should include, where available and applicable:

  • A description of the covered incident

  • A description of the vulnerabilities exploited and the security defenses that were in place, as well as the tactics, techniques, and procedures used to perpetrate the covered cyber incident

  • Any identifying or contact information related to each actor reasonably suspected of being responsible for such cyber incident

  • The category or categories of information that has been, or can reasonably be believed to have been, accessed or acquired without authorization

  • Information about the relevant entity, including status of incorporation or formation, legal entity name, trade names or other identifiers

  • Contact information for the covered entity or an authorized agent of the entity

If adopted, Covered Critical Infrastructure Entities would be required to complete Initial Reports whenever material new or different information becomes available. Further reporting would be required until the entity notifies CISA that the cyber incident has been resolved. If a Covered Entity is required by law, regulation, or contract to report substantially similar information to another federal agency within a similar time frame, that entity may be exempt from the reporting requirements established in the Act.

Reporting of ransom payments will include, at a minimum, if available and applicable:

  • A description of the attack, including the estimated date range of the attack

  • A description of the vulnerabilities, tactics, techniques, and procedures used to carry out the ransomware attack

  • Any identifying or contact information related to each actor reasonably suspected of being responsible for the ransomware attack

  • The name and other information that clearly identifies the covered entity that made the ransom payment or on whose behalf the payment was made

  • Contact information for the covered entity or an authorized agent of the entity

  • The date of the ransom payment

  • The ransom payment request, including the type of virtual currency or other commodity requested

  • The ransom payment instructions

  • The ransom amount

Reporting of ransom payments would be required even if the ransomware attack is not a cyber incident covered by law.

The bill will now go to the House, where it is supported by Rep. Yvette D. Clarke (D-NY), chair of the Homeland Security Subcommittee on Cybersecurity, and Rep. John Katko (R- NY). At this time, no speaking time or debate is scheduled in the House.

The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.

POPULAR ARTICLES ON: USA Technology

Comparative guide to virtual currencies

Bull Blockchain Law LLP

Comparative guide of virtual currencies for the jurisdiction of the United States, see our comparative guides section to compare between several countries

Is staking a taxable service?

Cadwalader, Wickersham & Taft LLP

On February 3, the Proof of Stake Alliance (“POSA”), a cryptocurrency industry association, issued a press release regarding recent developments in a cryptocurrency tax case…

About Charles D. Goolsby

Check Also

The impact of fetal rights laws ranges from abortion to HOV routes

Conservative states are trying to redefine what it means to be a person as they …