Updated: 2:50 p.m. 3/15/22
When Congress last week passed its omnibus legislation to keep the government running, the massive bill included a major section intended to protect consumers and businesses from cybersecurity threats.
Years in the making, the section includes provisions requiring financial institutions and other businesses to report cyberattacks and related issues within 72 hours of when they occur. In addition, it requires businesses that pay ransom following a ransomware attack to report the payment within 24 hours.
The reports must be made to the Cybersecurity and Infrastructure Security Agency (CISA), a division of the U.S. Department of Homeland Security.
The cybersecurity section of the omnibus bill, which President Biden signed into law today, is a composite of legislation produced in both the House and Senate over the past couple of years that, until recently, struggled to gain bipartisan support. The Russian invasion of Ukraine, and concerns over the potential for related cyberattacks on western nations, pushed both sides to reach a compromise.
A version of a Senate cybersecurity bill was approved unanimously earlier this month, something almost unheard of in the chamber evenly divided between the political parties.
Sen. Gary Peters, D-Mich., chairman of the Homeland Security and Governmental Affairs Committee, and co-author of legislation that the reporting provisions of the omnibus bill were based on, said the new requirements were long overdue.
“This provision will create the first holistic requirement for critical infrastructure operators to report cyber incidents so the federal government can warn others of the threat, prepare for widespread impacts, and help get our nation’s most essential systems back online so they can continue providing invaluable services to the American people,” Peters said in a statement. “Our provision will also ensure that CISA — our lead cybersecurity agency — has the tools and resources needed to help reduce the impact that these online breaches can have on critical infrastructure operations.”
In a joint statement, Rep. Bennie G. Thompson, D-Miss., chairman of the Committee on Homeland Security; Rep. John Katko, R-N.Y., the committee's ranking member; Rep. Yvette D. Clarke, D-N.Y., chairwoman of the Cybersecurity, Infrastructure Protection, & Innovation Subcommittee, and Rep. Andrew Garbarino, R-N.Y., ranking member of the Cybersecurity, Infrastructure Protection, & Innovation Subcommittee, said the legislation was “years in the making.”
“This legislation ... is a product of rigorous bipartisan, bicameral negotiation informed by significant consultation with the administration and the private sector, who deserve credit for coming to the table to work with us. Our work is not done, but this legislation is a major step forward.”
The statement added: “The Cyber Incident Reporting for Critical Infrastructure Act, included within the Consolidated Appropriations Act 2022, is one of the most significant pieces of cybersecurity legislation in the past decade. Requiring owners and operators to report significant cyber incidents and ransomware attacks to CISA will mean greater visibility for the federal government, earlier disruption of malicious cyber campaigns, and better information and threat intelligence going back out to the private sector so they can defend against future attacks.”
They added that the “authorities and resources provided in this bill can’t come soon enough, as CISA works to combat rapidly evolving cyber threats in this shifting geopolitical landscape. Passage of this legislation further solidifies Congress’ intent that CISA is the lead federal agency for cybersecurity.”
NMP reached out to the Mortgage Bankers Association for comment, but a spokesman said the organization “didn’t put out a statement on this and (doesn’t) have much to say.”
A request for comment from the Consumer Financial Protection Bureau is still pending.
CISA was created in November 2018. As of 2020, it had an annual budget of $3.16 billion; as of last year, it has approximately 2,500 employees. Jen Easterly, a former executive assistant to the National Security advisor and an Army veteran, has served as director of the agency since she was unanimously confirmed for the post last July.
While the legislation requires reporting specific information to CISA regarding cyberattacks and ransomware, it also limits the use and disclosure of the reported information.
