Cyberattack Reporting Requirements Included in Spending Deal (1)

  • Critical infrastructure industries would have to report hacks
  • Spending deal heading for House vote later on Wednesday

(Updates throughout with additional reporting.)

Bloomberg Government subscribers get the stories like this first. Act now and gain unlimited access to everything you need to know. Learn more.

Cybersecurity legislation that would impose new hack and ransomware reporting requirements on businesses was included in a spending bill lawmakers unveiled early Wednesday.

The Senate passed the cyber reporting requirements on March 1 under a bill (S. 3600) from Sen. Gary Peters (D-Mich). Peters previewed their inclusion in the spending bill Tuesday.

“This has been a bicameral, bipartisan work product that passed unanimously in the Senate,” Peters said. “It has the broadest support that you can possibly get.”

The $1.5 trillion government funding package is set for a House vote later on Wednesday, with lawmakers also planning to vote on another stopgap funding bill that continues government funding at current levels through March 15, to give the Senate time to deal with the full-year legislation.

Congress Reaches Deal on Fiscal 2022 Spending, Ukraine Aid

The bill would impose requirements to report hacks and ransomware on critical infrastructure owners. The provisions have taken on new urgency as lawmakers and U.S. businesses worry about Russian cyberattacks in response to escalating sanctions imposed for invading Ukraine.

Photo: Angus Mordant/Bloomberg via Getty Images
A Schneider Electric Easergy P5 protection relay device indicts a simulated ransomware attack at the Red Balloon Security Inc. office in New York on Jan. 6, 2022.

Companies operating in critical infrastructure sectors, such as energy and communications, would have to report hacks to the government within 72 hours, or 24 hours if a ransomware payment is made.

Businesses will be looking to closely collaborate and communicate with the government to ensure their plans satisfy the new requirements, said Cinthia Granados Motley, global data privacy and information security director at Dykema Gossett PLLC, a law firm.

“If you’re an organization that hasn’t dealt with this before, you’re going to have a lot of work to do,” Motley said. For example, companies will have to ramp up data breach simulations to test if they can meet the “really tight” reporting turnaround, she said.

To contact the reporter on this story: Maria Curi at

To contact the editors responsible for this story: Sarah Babbage at; Anna Yukhananov at

Stay informed with more news like this – from the largest team of reporters on Capitol Hill – subscribe to Bloomberg Government today. Learn more.