U.S. Senate Passes Act Requiring Faster Reporting of Cyber Incidents

Publish Date


Cyber Alert

  • Cybersecurity
  • Cybersecurity Resources

New cybersecurity legislation may be coming for critical infrastructure companies

On March 1st, the United States Senate passed the Strengthening American Cybersecurity Act. If passed through the House of Representatives, it will require critical infrastructure companies to report a substantial cyber-attack to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours. It will also require these companies to report ransomware payments to CISA within 24 hours. CISA may share the anonymized reports with other relevant federal agencies, including the FBI, to help prevent cyber-attacks from spreading throughout the nation’s infrastructure.

The scope of the requirements will span across all sixteen critical infrastructure sectors, including the financial services industry. In addition, private equity firms and their portfolio companies may be impacted if they serve these critical sectors.

The Strengthening American Cybersecurity Act is part of a broader congressional and regulatory response to cybersecurity risk, which has especially been a point of emphasis for regulators in the financial services industry. In November of 2021, the FTC amended its ‘Safeguard Rule’ for financial firms to include more heightened security controls. This was followed by the SEC Proposing Cybersecurity Rules in February of 2022 that requires financial firms to implement robust cybersecurity practices, breach-reporting, and record keeping requirements.

The Strengthening American Cybersecurity Act has been sent to the House of Representatives to review. We will continue to monitor the progress of the Act through the legislative process.

How we help

ACA Aponix offers the following solutions that can help your financial institution develop, implement, and maintain the required information security program:  

For questions about this alert, or to find out how ACA can help you meet your regulatory cybersecurity obligations, please reach out to your consultant or contact us.