Oct 21 2021

WASHINGTON, D.C. – U.S. Senator Thom Tillis (R-NC), Co-Chair of the Senate Cybersecurity Caucus, co-sponsored bipartisan legislation this week to require critical infrastructure owners and operators to report to the Cybersecurity and Infrastructure Security Agency (CISA) if they experience a cyber incident, including a cyberattack, and most entities to report if they make a ransomware payment. The Cyber Incident Reporting Act will improve federal agencies’ understanding of how to best combat cyberattacks, help our nation hold hackers accountable for targeting American networks, and bolster the federal government’s ability to help prevent these attacks from further compromising national security and disrupting the lives and livelihoods of Americans.

“Cyberattacks have steadily increased in recent years, putting private information, energy dependability, and our national security at risk,” said Senator Tillis. “It’s time for Congress to act on these growing threats by improving the reporting process when a cyberattack does happen. This commonsense legislation is a needed upgrade so we can successfully hold hackers accountable and I am proud to work on this legislation with my colleagues on both sides of the aisle.”

The Cyber Incident Reporting Act would require critical infrastructure owners and operators to report to CISA within 72 hours if they are experiencing a covered cyber incident, including cyberattacks. The bill also creates a requirement for other organizations, including nonprofits, businesses with more than 50 employees, and state and local governments, to notify the federal government within 24 hours if they make a ransom payment. The legislation directs federal agencies that are notified of attacks to provide that information to CISA and creates a Cybersecurity Incident Reporting Council to coordinate federal reporting requirements. 

The bill provides CISA with the authority to subpoena entities that fail to report cybersecurity incidents or ransomware payments. Entities that fail to comply with the subpoena can be referred to the Department of Justice and barred from contracting with the federal government. The legislation would also require entities who plan on making a ransom payment to evaluate alternatives before making the payment. Finally, the bill requires CISA to launch a program that will warn organizations of vulnerabilities that ransomware actors exploit, and directs the National Cyber Director to establish a joint ransomware task force to coordinate federal efforts, in consultation with industry, to prevent and disrupt ransomware attacks. The federal rulemaking process that will formalize aspects of this legislation also requires substantial consultation with industry.