Congress approved legal mandates for cybersecurity as part of last weeks spending bill, requiring critical infrastructure companies to report breaches, ransomware payments and other noteworthy cyber incidents to the US government.
Now companies will be compelled to report incidents within 72 hours of undergoing a cyberattack and with 24 hours of making a ransom payment.
“This provision will create the first holistic requirement for critical infrastructure operators to report cyber incidents so the federal government can warn others of the threat, prepare for widespread impacts, and help get our nation’s most essential systems back online so they can continue providing invaluable services to the American people,” said Senator Gary Peters, D-Mich., chair of the Senate Homeland Security Committee.
The legislation comes after increasing cyberattacks have managed to breach critical infrastructure such as the Colonial Pipeline, which paid $4.4 million in 2021 to regain access to its systems.
An incident count compiled by Temple University has registered 1156 cases of ransomware attacks between November 2013 and February 2022, of which 281 were against government facilities, 216 against healthcare and public health institutions and 165 against educational facilities. Ransoms of more than $5 million were demanded in 44 cases.