Bill
Bill > S1262
NJ S1262
NJ S1262Requires businesses in financial essential infrastructure, and health care industries to develop cybersecurity plans and report cybersecurity incidents.
summary
Introduced
01/13/2026
01/13/2026
In Committee
01/13/2026
01/13/2026
Crossed Over
Passed
Dead
Introduced Session
2026-2027 Regular Session
Bill Summary
This bill requires a sensitive business, defined as a business engaged in the financial, essential infrastructure, or healthcare industries, to develop cybersecurity programs based on regulations to be adopted by the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) in the Office of Homeland Security and Preparedness. These requirements include updating cybersecurity programs to apply to all of the sensitive business' industrial control systems if applicable, reasonably conforming these programs to the most recent version of certain industry-recognized cybersecurity frameworks, and annually certifying compliance with these requirements. The bill also requires sensitive businesses to submit their cybersecurity plans and revisions to the NJCCIC. The NJCCIC is directed to audit any sensitive business that fails to submit a cybersecurity plan. In addition, the bill require sensitive businesses to report certain cybersecurity incidents promptly to the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC). For the purposes of this bill, a "cybersecurity incident" means an event occurring on or conducted through a computer network that jeopardizes the integrity, confidentiality, or availability of, or information residing on, computers, information systems, communications systems networks, physical or virtual infrastructure controlled by computers, or information systems. The bill directs the NJCCIC to audit the relevant business no later than 30 days after being made aware of an incident. Cybersecurity audits would be conducted by a qualified and independent cybersecurity company at the sensitive business' expense
AI Summary
This bill requires businesses in the financial, essential infrastructure, and healthcare industries, referred to as "sensitive businesses," to develop and maintain comprehensive cybersecurity programs. These programs must address risks to their computer systems and, if applicable, their industrial control systems (systems used to control industrial processes like manufacturing), and align with recognized cybersecurity frameworks. Sensitive businesses must annually certify their compliance and submit their cybersecurity plans and any revisions to the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC), a state entity responsible for cybersecurity. The NJCCIC will audit businesses that fail to submit plans or certifications, with the audits conducted by independent cybersecurity firms at the business's expense. Furthermore, sensitive businesses must promptly report any "cybersecurity incident"—an event on a computer network that compromises the integrity, confidentiality, or availability of information or controlled infrastructure—to the NJCCIC, which will then conduct an audit of the incident response within 30 days, also at the business's cost. Notably, financial institutions already subject to federal cybersecurity regulations under the Gramm-Leach-Bliley Act are exempt from these requirements.
Committee Categories
Justice
Sponsors (2)
Last Action
Introduced in the Senate, Referred to Senate Law and Public Safety Committee (on 01/13/2026)
Official Document
bill text
bill summary
Loading...
bill summary
Loading...
bill summary
| Document Type | Source Location |
|---|---|
| State Bill Page | https://www.njleg.state.nj.us/bill-search/2026/S1262 |
| BillText | https://pub.njleg.gov/Bills/2026/S1500/1262_I1.HTM |
Loading...