Cyber Incident Notification Act of 2021 – Summary with Q&A
Ransomware attacks across the United States are becoming more frequent and dangerous, posing serious risks to individuals, businesses, and national security. In 2021, government officials from both sides of the political aisle came together to address the issue on the national front, recognizing the need to mitigate the vulnerability of our government agencies, federal contractors, and critical infrastructure operators. Much of the conversation was motivated by a recent onslaught of ransomware attacks that have jeopardized federal agencies as well as the major attack on the Colonial Pipeline, which halted pipeline operations and caused major fuel shortages along the east coast of the United States.
In July, Senators Mark R. Warner (D-VA), Marco Rubio (R-FL), and Susan Collins (R-ME) introduced the Cyber Incident Notification Act of 2021, which would require these entities to notify the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) when they have been breached. This allows for the U.S. government to mobilize more efficiently to protect not only itself but also critical industries that affect our everyday lives. The bill also importantly grants immunity to the companies that come forward to report breaches, understanding that ransomware attacks can happen to virtually anyone at any time.
This legislation is further evidence that cybersecurity is deservedly getting more attention from the US Government, which is in the process of deploying the CMMC model. Given this bill’s wide bipartisan support, federal contractors, federal subcontractors, and others in the federal supply chain should keep abreast of news and developments regarding this legislation, as well as address the need for preparation around reporting and response to potential or actual cybersecurity incidents.
Cyber Incident Notification Act of 2021 – Questions and Answers
To whom does the Cyber Incident Notification Act of 2021 law apply?
The law applies to government agencies, federal contractors, and critical infrastructure operators. These entities will be more narrowly defined by the Director of the Cybersecurity and Infrastructure Security Agency.
What are the enforcement mechanisms in place to drive compliance and what are the penalties for non-compliance?
If the Director determines that a covered entity has violated the requirements of the law, then a civil penalty (not exceeding 0.5 percent of the entity’s gross revenue from the prior year) may be assessed for each day the violation continues.
What, if anything should business leaders and managers of covered entities do today to ensure compliance with the law?
Business leaders and managers of covered entities should develop a thorough plan and have a robust response team in place to address the ever-present dangers of ransomware attacks and other cybersecurity threats if they do not already have one.