Government Could Require Companies To Report Cyberattacks

Security Breach

A new piece of legislation would require some companies to inform the federal government if they’ve become the victim of a cyberattack.

As CNBC reported on Wednesday (July 21), the bipartisan Cyber Incident Notification Act was created in the wake of two high-profile hacking events: the attack on SolarWinds, which affected government agencies, and the ransomware disruption of the Colonial Pipeline.

“The problem is, under federal law, companies don’t have to report these attacks,” noted the CNBC report. “That means some attacks may occur without the government knowing, which can have serious implications if the government’s own systems are affected by the hack.”

Under the bill, federal agencies, federal contractors and critical infrastructure firms would need to tell the Department of Homeland Security whenever they find a breach of their systems. The bill also gives those companies some immunity when reporting the breach. For example, shareholders wouldn’t have access to the report to use as evidence in litigation.

The legislation is being put forward by Senate Select Committee on Intelligence Chairman Mark Warner, D-Va., Vice Chairman Marco Rubio, R-Fla. and senior member Susan Collins, R-Maine, based on concerns that came up during a hearing on the SolarWinds attack.

At that hearing, Microsoft President Brad Smith told the committee that the only reason the attack came to light was that FireEye, a cybersecurity company, reported what it thought was a state-sponsored attack on its system in December.

“After that disclosure, Reuters reported on a potentially adversary-linked hack into U.S. agencies through SolarWinds software updates,” noted the CNBC report. “Sources later told Reuters that attack was linked to the FireEye intrusion.”

FireEye’s CEO Kevin Mandia told CNBC that disclosure was a complex issue, “because all of the liabilities companies face when they go public about a disclosure.”

That’s just one of the many costs related to cyberattacks. In addition to the potential ransom that companies would have to pay to regain control of their systems, it’s likely that they’ll need to pay more to insure themselves against these attacks, as PYMNTS recently reported.

The $3 billion anti-hacking insurance industry has grown strained as risks and costs continue to rise, leading companies to tighten their standards and raise prices.

The new legislation comes one week after the White House launched a new ransomware task force that promises rewards of up to $10 million for information that identifies hackers using their skills to carry out cyberattacks.