Biden signs ransomware reporting mandate into law

United States president Joe Biden signed new cyber security incident reporting mandates into law on Tuesday 15 March, making it a legal requirement for operators of critical national infrastructure (CNI) to disclose cyber attacks to the government

Having passed through the US legislature on Friday 11 March, the long-debated Strengthening American Cybersecurity Act, which has its roots in proposals first set out by a Democratic senator Gary Peters and Republican senator Rob Portman in the wake of the 2021 Colonial Pipeline incident.

At its core, it will require CNI owners within the US to report substantial cyber attacks to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours, and any ransomware payments made within 24 hours. It enables CISA to subpoena organisations that fail to do so, with the threat of referral to the US Department of Justice (DoJ) for non-compliance.

Additionally, the law also directs CISA to establish a new programme to warn organisations of new vulnerabilities being used by ransomware operators, and a joint ransomware taskforce to coordinate federal and industry efforts to disrupt their work.

“CISA will use these reports from our private sector partners to build a common understanding of how our adversaries are targeting US networks and critical infrastructure. This information will fill critical information gaps and allow us to rapidly deploy resources and render assistance to victims suffering attacks, analyse incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims,” said CISA director Jen Easterly.

“CISA is committed to working collaboratively and transparently with our industry and federal government partners in order to enhance the security and resilience of our nation’s networks and critical infrastructure. Put plainly, this legislation is a game changer,” she said.

Senator Portman said that given Russia’s war on Ukraine, the threat of potential cyber attacks against critical infrastructure within the US was still elevated, making it even more important for governments to be able to coordinate appropriate responses.

“Now that our bipartisan legislation has been signed into law, it will give the National Cyber Director, CISA, and other appropriate agencies broad visibility into the cyber attacks taking place across our nation on a daily basis to enable a whole-of-government response, mitigation, and warning to critical infrastructure and others of ongoing and imminent attacks,” he said.

“The legislation strikes a balance between getting information quickly and letting victims respond to an attack without imposing burdensome requirements.” 

Senator Peters added: “In the face of significant cyber security threats to our country – including potential retaliatory cyber attacks from Russia for our support in Ukraine – we must ensure our nation is prepared to defend our most essential networks.

“This historic, new law will make major updates to our cyber security policy to ensure that, for the first time ever, every single critical infrastructure owner and operator in American is reporting cyber attacks and ransomware payments to the federal government.”

The passage of the new legislation comes days after the US financial regulator, the SEC, said it was considering proposals to mandate cyber security disclosures by public companies, an act that would likely have more profound repercussions for the global business community.

The SEC said it had been requiring disclosure of important information from listed companies for nearly a century, with the ultimate objective of enabling investors to make sound judgments about where to put their money. This regime has evolved significantly since the days of the Great Depression, and now must do so again to reflect the ever-present risk of cyber attacks.

SEC chair Gary Gensler, a former investment banker with Goldman Sachs, said the SEC’s proposals would require mandatory, ongoing disclosures on governance, risk management and strategy with regard to cyber risk.

The information in scope would potentially include management and boardroom roles and oversight of risk, whether or not organisations have cyber policies and procedures in place, and how cyber risks and incidents are likely to impact organisations’ finances.

There will also likely be mandatory, material cyber security incident reporting. Gensler said: “This is critical because such material cyber security incidents could affect investors’ decision-making.

“When companies have an obligation to disclose material information to investors, they must be complete and accurate. Their disclosures should be timely. Today’s proposal would specify when and what information about cyber security incidents companies must disclose in a current report…It also would require updates in periodic reports to give investors more complete information on previously disclosed, material cyber security incidents.”