The National Retail Federation today welcomed final passage of legislation requiring businesses that own or operate critical infrastructure to report cyberattacks to federal authorities, saying it will help protect resources ranging from the nation’s electrical grid to the availability of essential consumer products.
“We appreciate the fact that Congress has taken a major step forward to protect our nation against cyberattacks while still focusing on the most truly critical elements of critical infrastructure,” NRF Vice President for Retail Technology and Cybersecurity Christian Beckner said. “Lawmakers have listened to the concerns of retail and other industries. This is a carefully crafted measure that will enhance the quality of cyber threat information that is shared with private industry and accomplishes its goals in a way that is balanced and risk-based. Retailers work every day to protect against cyber threats in coordination with the federal government and through threat-sharing programs such as those run by NRF. This legislation will complement those efforts and ensure that all entities play the appropriate role.”
Among other provisions, the bill would require that owners and operators of critical infrastructure report to the federal Cybersecurity and Infrastructure Security Agency within 72 hours if they are experiencing a substantial cyberattack and within 24 hours if they make a ransomware payment. CISA will determine which types of businesses would be required to report depending on considerations such as how broadly an attack would disrupt the economy or impact national security. Information from the reports will be used to improve defenses against cyberattacks and be shared with other cyber-intelligence agencies and cybersecurity experts in private industry.
NRF has led the retail industry’s efforts to prevent and respond to cyberattacks for years, bringing top retail cybersecurity experts together in the NRF IT Security Council and sharing information about attacks through the NRF Cyber Risk Exchange.