Senators on the Homeland Security Committee have introduced new legislation last September 2021, requiring critical infrastructure companies to report cyberattacks to the federal government within hours. The bill also aims to mandate most organisations to tell the federal government if they make ransomware payments.
If enacted, the Cyber Incident Notification Act of 2021 would require critical infrastructure owners and operators to notify the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours if they are experiencing cyberattacks. Moreover, non-profits, businesses with over 50 employees, and state and local governments would have to notify the federal government within 24 hours if ransomware payments have been made.
The new legislation comes after various major cyber attacks and ransomware incidents earlier, including the Colonial Pipeline attack. It would also give CISA the authority to subpoena entities that fail to report incidents or ransomware payments.
According to the bill, if a business or nonprofit fails to comply with the subpoena, it can be referred to the Department of Justice and barred from contracting with the federal government.
CISA would also be required to launch a program that would notify organisations of vulnerabilities that ransomware actors tend to exploit. A joint ransomware task force would also be formed, preventing and disrupting ransomware attacks.
Jen Easterly, CISA’s director, has called for cyber incident reporting to help victims of hacks and analyse the information and share it more broadly to evaluate if similar incidents are found elsewhere.
“We absolutely agree it's long past time to get cyber incident reporting legislation out there, and we're excited to work with you on this”, Easterly said.
As ransomware and cyber-attacks become more sophisticated, the Cyber Incident Notification Act 2021 would help businesses protect their operations and disrupt ransomware from causing more damages.
Apart from the support from government agencies, businesses must also create a robust cybersecurity framework to prevent cyber attacks and ransomware from the get-go. Because there isn’t a one-size-fits-all approach to cybersecurity, organisations must assess their needs and goals when designing a cybersecurity framework.
To learn more about assessing and prioritising the risks associated with a smart factory, check out Trend Micro’s extensive white paper, Practical Risk Assessments for Smart Factories.