Cyber Incident Reporting Act of 2021

Cyber Incident Reporting Act of 2021

This bill requires reporting and other actions to address cybersecurity incidents, including ransomware attacks.

Entities that own or operate critical infrastructure must report cyber incidents and ransom payments within specified time frames while other entities may voluntarily report incidents. The Cybersecurity and Infrastructure Security Agency (CISA) must establish an office to receive and analyze such reports.

The bill limits the use and disclosure of reported information. The information may be shared (subject to protections) with federal agencies or to address cybersecurity threats. However, shared information may not be used as a basis for certain regulatory enforcement. Additionally, an entity may not be liable for submitting required reports. Further, reports do not constitute waivers of applicable protections against disclosure (e.g., attorney-client privilege) and are not subject to laws governing release of federal records.

The bill authorizes CISA to take specified action (e.g., issuing subpoenas) if an entity fails to submit a required report. CISA may share subpoenaed information with a regulator or the Department of Justice for regulatory enforcement or criminal prosecution.

A federal agency must share any information it receives about cyber attacks with CISA.

The bill also establishes (1) an interagency council to standardize federal reporting of cybersecurity threats, (2) a task force on ransomware attacks, and (3) a pilot program to identify information systems vulnerable to ransomware attacks.