Bipartisan Bill Would Require Firms to Report Cyberhacks Within 72 Hours

The House of Representatives is expected to consider legislation this week that would require financial institutions and other critical infrastructure operators to report substantial cyber incidents and ransom payments to the federal government.

The package of three bills, together titled the Strengthening American Cybersecurity Act, passed the Senate last week by unanimous consent and has been included in omnibus spending legislation that House leaders were trying to bring up for a vote as early as Wednesday. It also has the backing of the lobbying group Bank Policy Institute.

Reporting requirements would remain unchanged for up to three and a half years if the legislation becomes law. During that time, the Cybersecurity and Infrastructure Security Agency, or CISA, would create and execute a rules-making process that fills in specifics of the law.

Among the specifics yet unaddressed are which financial institutions would have to report cyber incidents and ransom payments, what exactly they would have to disclose in such reports, and the precise types of cyber incidents that would require reporting.

Learn more (American Banker subscription may be required)