The Cyber Incident Reporting Act will require critical infrastructure entities in the US to report substantial cybersecurity incidents to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) within 72 after the entity reasonably believes that the incident occurred, and inform about all ransomware payments within 24 hours after making the payment.

The CISA will issue further regulations in the next 24 months to specify the thresholds for notifiable cybersecurity incidents, the scope of the notification and which information about the mitigation and resolution of the incident should be provided. All ransom payments, regardless of whether the incident was required to be reported, will need to be notified to the CISA. Entities will also be required to preserve data relating to the incident or ransom payment according to the procedures defined by the CISA.

The Cyber Incident Notification Act will apply to entities in critical infrastructure sectors, including, for instance, communications, financial services, energy, healthcare, information technology and critical manufacturing. The CISA will have powers to compel compliance with the reporting obligations and may refer cases to the attorney general for civil enforcement actions.

Read the Cyber Incident Notification Act which is part of the Consolidated Appropriations Act 2022.