Cyber Incident Reporting by Industry Mandated in Draft Bill

Critical infrastructure operators would be required to report cyber incidents to the government’s cybersecurity agency within three days under a bipartisan bill from by House Homeland Security Committee leaders.

The draft legislation follows a large increase in cyberattacks across critical infrastructure sectors, including on energy firm Colonial Pipeline Co. and meat producer JBS SA, and increased pressure to require companies to share incidents with the federal government.

The bill backed by Chair Bennie Thompson (D-Miss.), ranking member John Katko (R-N.Y.) and Rep. Yvette Clarke (D-N.Y.) would direct the Cybersecurity and Infrastructure Security Agency to issue an interim final rule within nine months that would mandate certain critical infrastructure operators, such as energy companies and hospitals, to report cyber incidents at least 72 hours after they occur. It would also create a new Cyber Incident Review Office within CISA to aggregate and analyze cyber reports from covered companies.

Thompson speaks to members of the media outside a hearing in Washington, D.C., on Tuesday, July 27.

Photographer: Stefani Reynolds/Bloomberg

The bill is expected to be formally introduced following Wednesday’s House Homeland Security Committee hearing, according to a person familiar with the legislation who asked not to be identified because the information isn’t public. The purpose of the hearing will be for lawmakers to discuss the bill text with industry stakeholders.

Witnesses scheduled to appear at Wednesday’s hearing include executives at cybersecurity firm Mandiant, and critical infrastructure sector associations, including the Bank Policy Institute, Information Technology Industrial Council, USTelecom and American Gas Association.

Parallel Senate Efforts

Senate Homeland Security and Governmental Affairs Chair Gary Peters (D-Mich.) previously said he’s working on cyber incident reporting legislation with ranking member Rob Portman (R-Ohio), but the committee hasn’t announced legislation timing.

Senate Intelligence Chair Mark Warner (D-Va.) and Vice Chair Marco Rubio (R-Fla.) introduced their own cyber reporting bill ( S. 2407 ) in July, which would require critical infrastructure operators report attempted or successful cyber incidents to CISA within 24 hours. It also would assess fines of up to 0.5% of a company’s previous year’s gross revenue for every day it fails to report attempted or successful cyber intrusions.

Cyber Breach Reporting Mandated for Companies, Agencies in Bill

The forthcoming House bill doesn’t specifically spell out penalties for not reporting cyber intrusions. It directs CISA to further define four metrics including:

• Which critical infrastructure entities would be required to report cyber incidents;
• What a significant cybersecurity incident entails;
• The methods by which covered entities report incidents; and
• How CISA will enforce reporting noncompliance, including issuing subpoenas.

The draft legislation generally defines “significant cyber incident” as one that is likely to cause demonstrable harm to national security, foreign relations, the economy, public confidence, civil liberties, or public health and safety.

72-Hour Reporting Window

One significant difference in the House bill is the longer 72-hour reporting window, compared to the 24-hour window in the Senate bill from Warner and Rubio.

Grant Geyer, the chief product officer at Claroty, which provides cybersecurity services to companies to protect their industrial control systems, applauded the 72-hour reporting window.

“Within industrial environments, because of skill set gaps, environments are not as effectively positioned to spot cyberattacks — there’s definitely going to be a fog of what’s occurring within the first couple of days,” Geyer said in an interview.

He added that 72 hours “really gives organizations time to get a clear view and also ensures that CISA isn’t flooded with false positives that are really not incidents.”

The bill also has the backing of the American Gas Association, which represents large gas pipeline companies.

“AGA supports the draft bill since it establishes the criteria we believe is necessary for a workable incident reporting framework,” the association said in a statement. “We support the timing of incident reporting, supplemental reporting clarity, recognition of existing reporting requirements, Information Sharing & Analysis Centers, and liability protections.”