Alexandra N. Boyer, Esq., email@example.com, (412) 594-3924
Our clients in financial services, technology, and manufacturing industries, take note of this important new piece of legislation. On March 21, 2022, President Biden warned American businesses to prepare for imminent cyberattacks from Russian-backed hackers. In an effort to battle the increase in cyberattacks, President Biden signed into law the Strengthening American Cybersecurity Act of 2022 (the “Act”), which requires critical infrastructure sectors and businesses to report cyberattacks within 72-hours and ransom payments within 24-hours to the Department of Homeland Security.
The Act is likely in response to the highly publicized attacks on SolarWinds and the Colonial Pipeline, as well as the Russian invasion of Ukraine. Although a massive, government-orchestrated cyberattack has yet to occur, criminal organizations continue to steal data and hold critical networks hostage. This Act would provide law enforcement with a broader understanding of cyber criminals, who they target, and their hacking methods.
This new reporting requirement affects companies in “critical infrastructure sectors,” which broadly includes financial services, information technology, energy, healthcare, transportation, manufacturing, and commercial facilities. Under the Act, these companies must report and preserve data involving the cyberattack and ransom paid within the relevant time period, including a description of the attack, potential vulnerabilities exposed, tactics used, impact of the cyberattack to business operations, and the amount of ransom paid, if any. The law is currently in the “rulemaking” phase, where the Department of Homeland Security will create the mechanisms to implement the law.
Failure to report a cyberattack or ransom paid would result in penalties to the company, and the Department of Homeland Security may subpoena information and work with the Justice Department to ensure compliance. However, companies who file a report under this Act are immune to any civil suit arising from the report.
The 24 or 72-hour time limit is a short window of time to investigate, gather necessary information, and make a report, so advanced preparation is key. Companies should start to prepare by creating the necessary procedures to comply with the new regulations now. If your business needs assistance in preparing for this new regulation, contact Alex Boyer or Erin Beckner Conlin, Chief Compliance Officer at Tucker Arensberg, P.C.