President Joe Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the “Act”), which creates a new requirement for organizations functioning in critical infrastructure sectors to report cyber incidents to the federal government, according to JD Supra. The Act is part of the Consolidated Appropriations Act and reflects focus on cybersecurity risks.
Under the new act, organizations in the critical infrastructure sectors must:
- Report “substantial” cyber incidents to the Cybersecurity and Infrastructure Security Agency (“CISA”) within 72 hours after the entity reasonably believes the incident occurred.
- Provide reports to CISA of substantial new or different information that becomes available until the incident has concluded and been fully mitigated and resolved.
- Report ransom payments to CISA within 24 hours after making the ransom payment.
Preserve data related to cyber incidents or ransom payments in accordance with procedures to be established by CISA.