Cyber incidents that happen within US critical infrastructure companies are now to be reported within 72 hours to the CISA as our President signed into law. As the article mentions, covered entities will also be obligated to report any ransomware payments to CISA within 24 hours under the Cyber Incident Reporting for Critical Infrastructure Act of 2022. The new reporting requirements apply to organizations that fall within the 16 U.S. critical infrastructure sectors such as chemical, communications, energy, financial services, healthcare sectors, etc. This includes relevant vulnerabilities, efforts taken to mitigate the attack, categories of data believed to have been accessed or acquired person and any actor reasonable believed to be responsible for the incident. Covered companies that do not report cybersecurity or ransomware payments during that period, will be issued with a subpoena by the CISA.
Resource:
https://www.infosecurity-magazine.com/news/us-cyber-incident-reporting/
By: Victoria Zak
Leave a Reply