IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Legislation to Mandate the Reporting of Cyber Attack Ransomware Payments

Critical infrastructure owners and operators are a primary concern.

Colonial Pipeline’s troubles with a cybersecurity hack leading to them paying a ransom to get their data and control of their facilities back was a watershed event. It highlighted a significant issue that has been ongoing for years. The loss of 40 percent of the liquid fuel distribution on the East Coast ramped up attention to the issue.

Senate members have responded with new proposed legislation to mandate the reporting of ransomware payments. See details below, a link to the legislation, and also commentary from a number of individuals on the proposed legislation.

Senate proposes cyber-attack reporting & penalties

On Tuesday, Senate leaders introduced legislation - The Cyber Incident Reporting Act - that would allow just 24 hours for certain organizations to report if they paid a ransomware demand. Owners and operators of critical infrastructure would be given just 72 hours from the incident occurrence to report the event to the Cybersecurity and Infrastructure Security Agency (CISA).

The Bill would amend the Homeland Security Act to establish the Cyber Incident Review Office to monitor compliance and enforcement of the reporting requirements. Experts with Gurucul, Shared Assessments and YouAttest comment.

Saryu Nayyar, CEO, Gurucul (she/her):

“The United States Senate is considering a bill to open the window on ransomware and other hacking attacks on many organizations. The penalties for non-compliance are weak, so even if the bill is signed into law, don’t count on immediate and total compliance.

“Transparency is almost always better than secrecy. In the case of ransomware attacks, the inclination of organizations is to keep attacks and ransomware payments private, to not publicize weakness. Nevertheless, disclosure helps everyone understand the nature of the threat, and gives organizations the opportunity to share detailed information and work together to combat existing and future threats. In this regard, this bill is a step, albeit small, in the right direction.”

Nasser Fattah, North America Steering Committee Chair, Shared Assessments:

“There has been eager anticipation for the government to intervene and play a bigger role in cybersecurity attacks, particularly with critical infrastructures. Ideally, as the government gets timely information related to a ransomware attack, including any payments, then it can formulate an overall response that can best serve businesses of all shapes and sizes. It is also important to include in the Act very clear and understood definitions for key terms, including incident.”

Ron Bradley, VP, Shared Assessments:

“My sincere hope is this piece of legislation doesn't come as a surprise to organizations, particularly those in critical infrastructure. Having a well documented incident response plan, which is tested on a regular basis, is a crucial component to good cybersecurity hygiene. It would be unwise for any company to contemplate paying a ransom without first contacting the FBI. In fact, knowing who to contact at the FBI and establishing that relationship ahead of time is extremely important.

“The same thing holds true with the Cybersecurity and Infrastructure Security Agency (CISA). Any incident response program associated with critical infrastructure must have clear and complete processes for contacting government agencies in the event of a major ransomware attack, including the potential of paying the ransom.”

Tom Garrubba, CISO, Shared Assessments:

“I applaud and welcome the US Congress for taking such action, as cyber security threats against our infrastructure morph, grow, and intensify. Organizations historically (and rightly) don’t want to air their dirty laundry in public (i.e., a cyber incident), however, not sharing such details with federal authorities in a timely manner diminishes the country’s ability to leverage federal and even international resources and greatly reduces any response time required for countermeasures.”

Garret Grajek, CEO, YouAttest:  

“The CISA is in information gathering mode. By requiring all most organizations to report incidents of ransomware and collating this information, the CISA can start determining the real extent of the threat. Once this information is collated - many believe more stringent cybersecurity requirements are expected to follow. Like the CMMC, Cybersecurity Maturity Model Certification mandates for the U.S. DoD contractors.”
Eric Holdeman is a contributing writer for Emergency Management magazine and is the former director of the King County, Wash., Office of Emergency Management.