Cyber Incident Reporting’s big day

The leaders of the Senate Homeland Security and Governmental Affairs Committee on Tuesday introduced legislation that would give set timelines for cyber incident reporting, including mandating that certain organizations report within 24 hours if they paid the sum demanded in a ransomware attack.

The Cyber Incident Reporting Act, sponsored by panel Chairman Gary Peters (D-Mich.) and ranking member Rob Portman (R-Ohio), would also require owners and operators of critical infrastructure to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours.

Nuts and bolts: Organizations required to report ransomware payments within a day of handing over the funds include critical infrastructure groups along with nonprofits, businesses with over 50 employees, and state and local governments.

The payment and incident information would go to a council at CISA, with the agency empowered to subpoena groups that fail to report. Organizations that fail to comply with the information would then be referred to the Justice Department, and potentially banned from doing business with the federal government.

“This important, bipartisan bill will create the first national requirement for critical infrastructure entities to report to the federal government when their systems have been breached, as well as require most organizations to report when they have paid a ransom after an attack,” Peters said in a statement Tuesday. “This will help our nation deter future attacks, fight back against cybercriminals, and hold them accountable for infiltrating American networks.”

Wider concerns: The bill was introduced as part of an effort by Congress to respond to a wave of major cyberattacks over the past year.