Congress Drafts Up New Rules For Reporting Cyber Attacks

Congress Drafts Up New Rules For Reporting Cyber Attacks <span class="bsf-rt-reading-time"><span class="bsf-rt-display-label" prefix="Reading Time"></span> <span class="bsf-rt-display-time" reading_time="2"></span> <span class="bsf-rt-display-postfix" postfix="mins"></span></span><!-- .bsf-rt-reading-time -->

At the end of last month, on July 27, the Senate Judiciary Committee held a hearing regarding the rise of ransomware attacks in the US which included top cyber officials.

Over the past year, there has been a 300% increase in attacks, costing businesses $300 million, according to the Department of Justice.

“We don’t have to regulate everybody in the world. But if you’re critical infrastructure we should no longer tolerate this voluntary regime with big companies who know their infrastructure is critical and fail," said Sen. Whitehouse (D-RI).

Earlier in the month, Sens. Mark Warner (D-VA), Marco Rubio (R-Fla.), and Susan Collins, (R-ME) introduced the Cyber Incident Notification Act of 2021, which aims to change how cybersecurity breaches are reported.

According to the bill's text, it is written "to ensure timely Federal Government awareness of cyber
intrusions that pose a threat to national security, enable the development of a common operating picture of national-level cyber threats, and to make appropriate, actionable cyber threat information available to the relevant government and private sector entities, as well as the
public, and for other purposes."

The bill, if passed, would make it so that certain businesses would be required to report a breach within 24-hours, and keep reporting for 72-hours after the report is made. Businesses with government contracts, as well as those involved in manufacturing, energy production, and finance, would be impacted by the passing.

According to the bill, penalties for non-reporting for business without contracts would be "equal to 0.5% per day of the entity's gross revenue from the prior year." For those with government contracts, non-reporting could mean removal.

"The rapid growth in the number and sophistication of cyber-attacks is the alarm bell ringing about the need to immediately bolster the cybersecurity of our critical infrastructure," the Majority Statement read, continuing, "If we don’t, it is only matter time before we will see another crippling cyber incident that will have an even more catastrophic impact than we saw with Colonial Pipeline."