On March 15, President Biden signed the 2022 Cyber Incident Reporting for Critical Infrastructure ActS.3600 into law. This law is widely supported by government and industry stakeholders as cyber incident frequency and severity levels continue to bring focus on the potential systemic nature of future cyber incidents.
What this means for food and agriculture going forward
Accounting for roughly one-fifth of the nation’s economic activity, food and agriculture falls underneath one of the 16 critical infrastructure sectors identified by the Cybersecurity and Infrastructure Security Agency (CISA).
The bill requires critical infrastructure owners and operators to report:
Cyber incidents within 72 hours of knowing the incident has occurred
Any ransomware payments within 24 hours of being made to the CISA
The bill also includes several ransomware-specific provisions as well as appropriate liability, privacy, and use protections. CISA has advised it will use the data to warn entities of threats, help victims recover, analyze trends, and enable a whole-of-nation defense and response strategy.
How you should prepare
You should review your current cyber incident reporting structures and requirements to optimize efficient reporting and information sharing with CISA.
It is also important to share this information with all colleagues that work on your organization’s cyber risk program.
Marsh McLennan Agency can help
MMA’s Cyber Risk Practice specialists are available at the ready to help you align your enterprise-wide cyber team’s perspectives on how to best approach complying with the new reporting requirements. Our specialists can help with knowledge and resources, including those offered by Marsh McLennan partner firms through our Cyber Resiliency Network, so that you can make informed decisions and rightsize your approach together.
If you or your fellow cyber colleagues would like to discuss any of the above information about this new legislation and how it may impact your cybersecurity program’s incident management planning, process, and platform, necessary cybersecurity service providers, or cyber insurance policy, please feel free to reach out to us directly.