US firms required to report hack or ransomware payment in new law

New rules approved by the US Congress will mean companies that are vital to US national interests will be required to report when they are hacked or pay ransomware.

According to Security Week, the rules are part of a broader effort by the Biden administration and Congress to shore up the US’ cyber defences following a number of high-profile digital espionage campaigns and disruptive ransomware attacks.

The publication added that the reporting will give the US government greater visibility into hacking efforts that target private firms, organisations which often have skipped going to the FBI or other agencies for help.

The new rules will require any entity that is considered part of the critical infrastructure of the nation – including finance, energy and transportation – to report any significant cyber incidents to the government within three days and any ransomware payment made within 24 hours.

In addition, the legislation designates the Department of Homeland Security’s Cybersecurity Infrastructure Security Agency as the lead agency as to receive notices of hacks and ransomware payments.

Security Week detailed that the new rules will also empower CISA to subpoena firms that fail to report hacks or ransomware payments, with those that fail to comply with a subpoena potentially being referred to the Justice Department for Investigation.

Copyright © 2022 RegTech Analyst

Enjoyed the story? 

Subscribe to our weekly RegTech newsletter and get the latest industry news & research

Copyright © 2018 RegTech Analyst

Investors

The following investor(s) were tagged in this article.