A group of senators introduced a bill on Wednesday that would require certain companies to report cybersecurity incidents.
The bill, the “Cyber Incident Notification Act,” comes amid a series of high-profile cyberattacks in recent months like the Colonial Pipeline ransomware incident and SolarWinds cyberattack, which impacted government agencies.
Under the bill, federal contractors and infrastructure groups would be required to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours, according to a copy of the legislation published by NextGov. They would need to update the agency no later than 72 hours after receiving new information. The notifications to CISA would not be subject to the Freedom of Information Act and may not be admitted as evidence in any civil or criminal action, the bill says.
The bill also would require Homeland Security to give Congress an annual report that summarizes the reported cybersecurity incidents.
The Senate Intelligence Committee Chairman Sen. Mark Warner (D-Va.), Vice Chairman Sen. Marco Rubio (R-Fla.), and committee member Sen. Susan Collins (R-Maine) are the main sponsors of the bill, but several other lawmakers have also backed it.
“It seems like every day Americans wake up to the news of another ransomware attack or cyber intrusion. The SolarWinds breach demonstrated how broad the ripple effects of these attacks can be, affecting hundreds or even thousands of entities connected to the initial target,” Warner said in a statement, according to the Hill. “We shouldn’t be relying on voluntary reporting to protect our critical infrastructure. We need a routine federal standard so that when vital sectors of our economy are affected by a breach, the full resources of the federal government can be mobilized to respond to and stave off its impact.”