The Senate Homeland Security and Governmental Affairs Committee on Wednesday approved legislation to require many companies to both report major cybersecurity breaches and to report making payments related to ransomware attacks.

The committee approved the Cyber Incident Reporting Act, formally introduced last week by committee Chairman Gary Peters (D-Mich.) and ranking member Rob Portman (R-Ohio), by voice vote, with Sens. Rick Scott (R-Fla.), Ron Johnson (R-Wis.) and Rand Paul (R-Ky.) objecting.

The bill would require owners and operators of critical infrastructure groups to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours. It would also require critical infrastructure groups, nonprofits, and most medium to large businesses to report making ransomware attack payments within 24 hours.