Although feared widespread Russian cyberattacks in the wake of the Ukraine invasion have not materialized, threats from both state actors and private groups remain. Congress passed and President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act which will require reporting of cybersecurity incidents within 72 hours.
The law defines "critical infrastructure" as including 16 sectors, for example communications, healthcare and information technology. Each sector must report to one or more government agencies. Detailed reporting requirements will be issued by the Cybersecurity and Infrastructure Security Agency (CISA) within 24 months. While this may seem like a long time, the threats are here and now, and companies should be assessing their risks and fixing vulnerabilities. The CISA can assist in these assessments.