Yesterday, President Biden signed the Cyber Incident Reporting For Critical Infrastructure Act of 2022. The law shortens reporting timelines for cybersecurity incidents and names the Cybersecurity and Infrastructure Security Agency (CISA) as the leading government body for enforcement.

Why should we care?
While the finance sector is listed as one of the “critical infrastructure entities” that must report to CISA, the law doesn’t name crypto and CBDCs among these entities. Biden’s March 9 executive order arguably fills in the gaps to clarify that these nascent financial sectors fall under the new law’s purview. But that laws signed after the executive order remain ambiguous seems self-defeating, given that the executive order was meant to symbolize a new era of clear crypto regulation. Regardless of the fine print’s failings, entities subject to the law, including fintechs, have to report cybersecurity incidents to CISA within 72 hours, and within 24 hours if a ransomware payment was made. A cybersecurity incident is defined as an event leading “to substantial loss of confidentiality, integrity, or availability of such information system or network, or a serious impact on the safety and resiliency of operational systems and processes.” There’s a bit of wiggle room for noncompliance, but CISA will have teeth in enforcing these rules. The agency can issue subpoenas to companies it believes were victim to a cybersecurity incident or made a ransom payment. Failure to comply can lead to civil lawsuits. We should expect fintechs to shore up their compliance efforts due to this new law, leading to further cross-pollination between security and legal teams.