Debevoise Discusses New Cyber Incident Reporting for Critical Infrastructure

On March 15, 2022, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the “Act”) into law, requiring critical infrastructure entities to report covered cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (“CISA”) within 72 hours and report ransom payments to CISA within 24 hours of payment. The Act, which was incorporated into the 2022 Consolidated Appropriations Act and does not take immediate effect, requires CISA to undertake rulemaking to define key elements, including what types of entities constitute critical infrastructure, how a cybersecurity incident is defined, and what should be included in reports to … Read more

Debevoise & Plimpton Discusses Proposed Cybersecurity Legislation

On November 15, 2021, President Biden signed the Infrastructure Investment and Jobs Act into law, authorizing $1.2 trillion for infrastructure spending, including approximately $2 billion for various federal cybersecurity projects. This adds to a large number of cybersecurity bills that are currently pending before Congress. In this Debevoise Data Blog post, we outline the key themes and takeaways of these pending bills, and what companies can expect in terms of new cybersecurity obligations in 2022.

The bills, which largely focus on critical infrastructure, appear to be coalescing around three key concepts:

  1. Expanding the Role of the Cybersecurity and Infrastructure Security

Read more