A2200

An Act requiring certain businesses to develop cybersecurity plans and supplementing P.L.1960, c.39 (C.56:8-1 et seq.).

Be It Enacted by the Senate and General Assembly of the State of New Jersey:

1. As used in this act:

“Cybersecurity incident” means an event occurring on or conducted through a computer network that jeopardizes the integrity, confidentiality, or availability of, or information residing on, computers, information systems, communications systems networks, physical or virtual infrastructure controlled by computers, or information systems.

“Industrial control system” means an information system used to control industrial processes such as manufacturing, product handling, production, or distribution. “Industrial control system” includes supervisory control and data acquisition systems used to control geographically dispersed assets, and distributed control systems and smaller control systems using programmable logic controllers to control localized processes.

“Information resource” means information and related resources, such as personnel, equipment, funds, and information technology.

“Information system” means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

“New Jersey Cybersecurity and Communications Integration Cell” means the New Jersey Cybersecurity and Communications Integration Cell established pursuant to Executive Order No. 178 (2015) in the New Jersey Office of Homeland Security and Preparedness, or any successor entity.

"Sensitive business" means a sole proprietorship, partnership, corporation, association, or other entity, however organized and whether or not organized to operate at a profit, including a financial institution organized, chartered, or holding a license or authorization certificate under the laws of this State, any other state, the United States, or of any other country, or the parent or the subsidiary of a financial institution, that is engaged in the financial, essential infrastructure, or healthcare industries and does business in this State.

2. a. A sensitive business shall develop and implement a cybersecurity program, in accordance with regulations adopted pursuant to this section.

b. The New Jersey Cybersecurity and Communications Integration Cell, in consultation with the Attorney General, shall adopt rules and regulations pursuant to the “Administrative Procedure Act,” P.L.1968, c.410 (C.52:14B-1 et seq.), that establish standards for the definitions and implementation of organization accountabilities and responsibilities for cyber risk management activities, and the establishment of policies, plans, processes, and procedures for identifying and mitigating cyber risk to a sensitive business.

c. The regulations shall provide that, as part of the cybersecurity program, a sensitive business shall: identify the individual chiefly responsible for ensuring that the policies, plans processes, and procedures established pursuant to this section are executed in a timely manner; conduct risk assessments and implement appropriate controls to mitigate identified risks to the sensitive business’ system; maintain situational awareness of cyber threats and vulnerabilities to the sensitive business and create and exercise incident response and recovery plans.

d. A sensitive business shall submit a copy of the cybersecurity program developed pursuant to this section to the New Jersey Cybersecurity and Communications Integration Cell, in a form and manner prescribed by the New Jersey Cybersecurity and Communications Integration Cell. A cybersecurity program submitted pursuant to this subsection shall not be considered a government record under P.L.1963, c.73 (C.47:1A-1 et seq.), and shall not be made available for public inspection.

3. a. A sensitive business cybersecurity plan created pursuant to section 2 of P.L. , c. (C. ) (pending before the Legislature as this bill) shall apply to all of the sensitive business’ industrial control systems, and shall conform, to the extent practicable, to the most recent version of one or more of the following industry-recognized cybersecurity frameworks:

(1) the Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology;

(2) the Center for Internet Security Critical Security Controls; or

(3) the International Organization for Standardization and International Electrotechnical Commission 27000 series of standards for an information security management system.

b. Whenever a final revision to one or more of the frameworks listed in subsection a. of this section is published, a sensitive business whose cybersecurity program reasonably conformed to that framework shall revise its cybersecurity program to reasonably conform to the revised framework, and submit a copy of the revised cybersecurity program to the New Jersey Cybersecurity and Communications Integration Cell, no later than 180 days after publication of the revised framework.

c. No later than one year after the effective date of P.L. , c. (C. ) (pending before the Legislature as this bill), and each year thereafter, a sensitive business shall submit to the New Jersey Cybersecurity and Communications Integration Cell a certification demonstrating that the sensitive business is in compliance with the requirements of this section. The certification shall be made in the form and manner prescribed by the Attorney General, in consultation with the New Jersey Cybersecurity and Communications Integration Cell. The certification shall be signed by the responsible corporate officer of the sensitive business if privately held, executive director, if an authority, or mayor or chief executive officer of the municipality, if municipally owned, as applicable.

d. The New Jersey Cybersecurity and Communications Integration Cell shall cause to be audited, for compliance with this section, a sensitive business that fails to submit a cybersecurity revision pursuant to subsection b. of this section, or a certification pursuant to this section. The audit shall be conducted by a qualified and independent cybersecurity company, at the sensitive business’ expense. Following the audit, the sensitive business shall submit the audit and any corrective action plans derived from the audit to the New Jersey Cybersecurity and Communications Integration Cell.

e. A sensitive business shall, upon the request of the Attorney General or the New Jersey Cybersecurity and Communications Integration Cell, provide proof of compliance with the requirements of this section, in a form and manner prescribed by the Attorney General or by the New Jersey Cybersecurity and Communications Integration Cell.

4. Sections 1 through 3 of this act shall take effect immediately, except that subsection a. of section 2 shall take effect 90 days after the adoption of regulations pursuant to section 2.

STATEMENT

This bill would require a sensitive business, defined as a business engaged in the financial, essential infrastructure, or healthcare industries to develop cybersecurity programs based on regulations to be adopted by the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) in the Office of Homeland Security and Preparedness. These requirements include updating cybersecurity programs to apply to all of the sensitive business’ industrial control systems if applicable, reasonably conforming these programs to the most recent version of certain industry-recognized cybersecurity frameworks, and annually certifying compliance with these requirements.

The bill would require sensitive businesses to submit their cybersecurity plans and revisions to the NJCCIC. The NJCCIC would be directed to audit any sensitive business that fails to submit a cybersecurity plan.