On March 15, President Joe Biden signed into law omnibus legislation that would fund the government through Sept. 30, 2022.

Among other things, the legislation also included key provisions from the Cyber Incident Reporting for Critical Infrastructure Act, which would require critical infrastructure entities to report to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours when they are hacked or suffer a significant cyber incident. The provision also requires critical infrastructure entities to report if they make a ransomware payment within 24 hours.

Previous U.S. government definitions of critical infrastructure have included sixteen different sectors, including the financial services sector. CISA's website currently notes that “the financial services sector includes thousands of depository institutions, providers of investment products, insurance companies, other credit and financing organizations, and the providers of the critical financial utilities and services that support these functions."

Importantly, the language in the omnibus requires CISA to propose rulemaking within 24 months and for that rulemaking to be finalized 18 months after that, so any potential requirement is likely years away. Additionally, the legislation gives CISA broad authority in its rulemaking and tasks the agency with defining important specifics, including what constitutes a covered entity, which cybersecurity incidents must be reported, and the required content of such reports.

As CISA moves through the rulemaking process over the next several years, the Big “I" plans to be active and advocate on behalf of its members, while providing any new updates in the weekly News & Views e-newsletter.

Wyatt Stewart is Big “I" assistant vice president of federal government affairs.