As 2021 draws to a close, we wanted to share a recap of some of the most important cybersecurity developments we covered this past year along with some suggestions on what companies (particularly those that do business with the federal government) should expect in 2022. This is part three of a four-part series (you can read Part 1 here and Part 2 here).

We have been keeping a close eye on proposed legislation related to cyber incident and ransomware payment reporting. Certain proposed legislation initially included in draft versions of the 2022 National Defense Authorization Act (NDAA) would have required critical infrastructure providers and contractors to report cyber incidents within 72 hours and ransomware payments within 24 hours. Despite widespread bipartisan support, these provisions were removed from the final version of the NDAA.

Putting it into Practice – What to expect in 2022: Many lawmakers appeared genuinely disappointed that the language was removed from the NDAA and have indicated enacting the proposed legislation will be a priority in the new year.