Norton Rose Fulbright - Data Protection Report blog

On September 28, 2021, the US Senate Homeland Security and Governmental Affairs Committee released a draft bill that would, among other things, require nearly all entities that make a ransom payment as the result of a ransomware attack against the entity to report the payment to the Director of the Cybersecurity and Infrastructure Security Agency (CISA), a division of the U.S. Department of Homeland Security, within 24-hours of the payment. The bill would be known as the “Cyber Incident Reporting Act of 2021” and would apply to critical infrastructure organizations, nonprofits, businesses with more than 50 employees, and all state and local governments. In addition to the 24-hour notification requirement regarding ransom payments, the bill would require critical infrastructure companies to report cyber incidents to the Director of CISA within 72-hours.

The bill is similar in purpose to other recently pending bills, such as the “Cyber Incident Reporting for Critical Infrastructure Act of 2021” and the “Cyber Incident Notification Act of 2021” in seeking to provide the federal government with increased visibility into the scope and severity of ransomware attacks and payments. Likewise, the proposed bill is consistent with the government’s continual position against paying ransoms due to concerns that it will further incentivize cybercriminals. The proposed bill comes less than one week after OFAC added the entire cryptocurrency exchange, SUEX OTC, S.R.O., to the SDN List.

The proposed bill further seeks to keep officials informed of targeted cyberattacks in the U.S. According to law enforcement officials, only about one-fourth of all cyberattacks are ever reported to government officials. Consequently, the bill would also require covered entities to submit an update, or supplement to a previously submitted covered cyber incident report, to the Director if new or different information becomes available or if the covered entity makes a ransom payment after notifying the Director pursuant to the 72-hour notification obligation as discussed above. This continuing obligation would enable the Director to analyze reports provided by the covered entities to identify common “infrastructure, tactics, and techniques” used by malicious cyber actors. Such knowledge would allow CISA to inform the public at large of cyber threats in an effort to effectively avoid potentially imminent cyber-attacks. Notably, to further incentivize reporting of ransomware attacks and ransom payments, the bill explicitly notes that ‘”[a] covered cyber incident or ransom payment report submitted to the Office by an entity that makes a ransom payment … shall not be used by any Federal, State, Tribal, or local government to investigate or take another law enforcement action against the entity that makes a ransom payment”.

If a covered entity experiences a ransomware incident or pays the ransom demand, but does not report it, the bill would give the Director the authority to directly request information about the cyber incident or ransom payment from the entity. If the entity does not respond within 72-hours from the Director’s request, then the Director may issue a subpoena to compel disclosure of the necessary information. Further, if the entity does not comply with the subpoena, the Director may refer the matter to the Attorney General to bring a civil action against the entity. Such entities could later be found in contempt of court.

Practical implications

Overall, the proposed bill is in line with previous guidance and recommendations to always notify law enforcement of cyberattacks and ransom payments. Therefore, in practice, the proposed bill would not provide an additional or burdensome obligation to entities. While the bill does not explicitly prohibit ransom payments or lay out a required process prior to paying ransom payments, entities should always comply with OFAC’s October 2020 and September 2021 guidance prior to making a ransom payment, which already recommends promptly notifying, and cooperating with, U.S. law enforcement and relevant government agencies.

Read the full text of the proposed “Cyber Incident Reporting Act of 2021” bill.