Description:
The bill would • Require operators of critical infrastructure to report cyber attacks and ransom payments • Establish a program office to receive and analyze reports on cyber incidents • Create a pilot program to warn federal agencies and nonfederal entities that are vulnerable to ransomware • Impose intergovernmental and private-sector mandates by requiring the owners and operators of critical infrastructure to file reports about cyber incidents and ransom payments and to retain relevant data. The bill also would preempt state, local, and tribal public disclosure laws Estimated budgetary effects would mainly stem from • Implementing new cyber incident reporting processes • Identifying information systems that have security vulnerabilities • Collecting civil and criminal fines from entities that do not comply with disclosure requirements Areas of significant uncertainty include • Predicting the annual number of cyber incidents reported to the federal government • Anticipating how often the federal government would impose fines and penalties
