Bill requiring companies report cyber incidents moves forward in the Senate

The Senate Homeland Security and Governmental Affairs Committee on Wednesday approved legislation to require many companies to report both major cybersecurity breaches and payments made related to ransomware attacks. 

The committee approved the Cyber Incident Reporting Act, formally introduced last week by committee Chairman Gary Peters (D-Mich.) and ranking member Rob Portman (R-Ohio), by voice vote, with Sens. Rick Scott (R-Fla.), Ron Johnson (R-Wis.) and Rand Paul (R-Ky.) objecting.

The bill would require owners and operators of critical infrastructure groups to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours. It would also require critical infrastructure groups, nonprofits and most medium to large businesses to report making ransomware attack payments within 24 hours.

The legislation is one of several efforts to strengthen cybersecurity protocols following a string of major attacks on both the government and the private sector in recent months, including ransomware attacks on Colonial Pipeline, meat producer JBS USA and IT group Kaseya. 

“I hope we are all in agreement that this is not something we can wait on. Cybercriminals are not waiting. They are actively engaged today,” Peters said during the markup.

While most members of the committee supported the idea of putting in place mandatory breach reporting for critical groups, debate erupted during the markup Wednesday around the short timelines and the requirement that private small businesses report ransomware payments to regain access to their networks. 

Scott offered an amendment, which was voted down by the committee, that would narrow the focus of the bill to requiring that critical infrastructure groups report ransomware payments. 

“I support the intent of this bill, but I do believe that another onerous government mandate on our small businesses is not the answer,” Scott said.

Sen. James Lankford (R-Okla.) raised concerns that the bill’s timelines had “holes.”

“This cake is 30 minutes of baked into a 45 minute bake, if I can say that, and I’d love some more time to be able to finish it out so when we get this passed, we have the things in it that we really need to have in it,” Lankford said at the markup.

While the overall bill was passed, Peters and Portman promised to take feedback from both sides of the aisle on how to improve it in upcoming weeks prior to their goal of including it in the Senate’s version of the 2022 National Defense Authorization Act (NDAA) later this year. 

“We do know there are issues that have been raised with the language in this legislation, but today’s action is the first step in what will hopefully be another step, which will be part of the National Defense Authorization [Act] because of the national security implications of this,” Peters said. “You have my commitment as chair, you have the commitment from the ranking member, to work with members on both sides to address any issues so that we have a good, bipartisan product that deals with the significant threat we are facing.”

The House passed its version of the 2022 NDAA last month, including bipartisan legislation from leaders of the House Homeland Security Committee that would ban CISA from requiring organizations to report cyber incidents earlier than 72 hours after they occurred.

The Senate Homeland Security Committee on Wednesday also approved a separate piece of legislation, also sponsored by Peters and Portman, to update the Federal Information Security Modernization Act and take steps to clarify reporting requirements for federal agencies if they are successfully targeted by hackers. 

While the panel was divided on the previous legislation, the second bill was unanimously approved by voice vote.