Senate Bill to Mandate Cyberattack, Ransomware Payment Reporting

  • Bill would mandate reporting from companies, government agencies
  • Senate Homeland Security panel leaders introduce measure

Bloomberg Government subscribers get the stories like this first. Act now and gain unlimited access to everything you need to know. Learn more.

Energy companies, banks and other critical infrastructure operators would have to report cybersecurity incidents and ransomware payments to the federal government under legislation introduced Tuesday.

Senate Homeland Security and Governmental Affairs Chairman Gary Peters (D-Mich.) and ranking member Rob Portman (R-Ohio) are unveiling a bipartisan bill to require critical infrastructure operators to notify the Cybersecurity and Infrastructure Security Agency within at least 72 hours of experiencing a cyberattack, according to details shared with Bloomberg Government.

The measure would also require other organizations—including nonprofits, businesses with more than 50 employees and state and local governments—to notify the federal government within 24 hours if they make a ransom payment following a ransomware attack.

“When entities — such as critical infrastructure owners and operators — fall victim to network breaches or pay hackers to unlock their systems, they must notify the federal government so we can warn others, prepare for the potential impacts, and help prevent other widespread attacks,” Peters said in a press statement.

Companies Must Report Ransomware, Cyberattacks in Senate Measure

The Biden administration’s top cybersecurity officials, CISA Director Jen Easterly and National Cyber Director Chris Inglis, backed a draft version of the measure during a committee hearing last week.

Biden Cyber Officials Back Breach Incident Reporting Mandate

The Senate bill is similar to legislation from House Homeland Security Chair Bennie Thompson (D-Miss.) and Reps. Yvette Clarke (D-N.Y.) and John Katko (R-N.Y.), which was included in an amendment to the House version of the fiscal 2022 National Defense Authorization Act (H.R. 4350) passed on Sept. 23. The House bill doesn’t mandate reporting of ransom payments.

Cyber Incident Reporting by Industry Mandated in Draft Bill

Peters said he plans to mark up the legislation and is considering the Senate version of the defense policy bill as a potential vehicle to advance the measure on the Senate floor, he told Bloomberg Government last week.

To contact the reporter on this story: Rebecca Kern in Washington at

To contact the editor responsible for this story: Giuseppe Macri at

Stay informed with more news like this – from the largest team of reporters on Capitol Hill – subscribe to Bloomberg Government today. Learn more.