Banks and other firms that operate critical infrastructure in the U.S. have until mid-November to
The Cybersecurity and Infrastructure Security Agency opened
Among the topics on which CISA is seeking comment are which entities are covered under the legislation, what kind of incidents they must report, what information they must report when an incident occurs, when the 72-hour countdown should start, and whether there are any federal and state regulations that are redundant with the new law.
The cyber incident act passed the Senate on March 1 on a bipartisan basis. It also received the support of the Bank Policy Institute, a lobbying group for the U.S. financial sector. The House of Representatives
Jen Easterly, the director of CISA,
While banks are already beholden to
The law will not just require banks to report substantial cybersecurity incidents; any bank that makes a ransomware payment will also have to report those payments to CISA within 24 hours.
Once the law takes effect, every financial institution and every firm in 15 other economic sectors must report each covered incident and ransomware payment to CISA, which will then share the reports with other agencies and aggregate them into quarterly reports.
The law "will allow us to better understand the threats we are facing, to spot adversary campaigns earlier, and to take more coordinated action with our public and private-sector partners in response," Easterly said. "We can't defend what we don't know about and the information we receive will help us fill critical information gaps that will inform the guidance we share with the entire community, ultimately better defending the nation against cyber threats."
CISA has until March 2024 to propose regulations that will implement the cyber incident reporting law. Once it proposes regulations, it will have 18 months to finalize and enact them.
