CBP Releases More Broker Cybersecurity Guidance

CBP released a guidance document detailing the roles and responsibilities of CBP and customs brokers faced with cybersecurity incidents. The document, released March 11, further details processes that were outlined in an initial guidance issued in April 2023.

The new guidance includes more information on reporting a cybersecurity incident, CBP's determination of the risk of such an incident and downtime processes. It also includes new information not included in CBP's earlier guidance on how CBP will exercise enforcement discretion.

The potential for enforcement discretion will be decided by the Office of Trade and the Office of Field Operations on a “case-by-case basis,” CBP said. Post-release transactions aren't included in CBP’s consideration for enforcement due to legal deadlines for post-summary corrections, protests, reconciliations, drawback, and post-import refund claims, the agency said.

For all entries affected by the incident that were not released on downtime, but the use of enforcement discretion was allowed, the broker must attach a document for the entry summary that includes the broker, the "date range of enforcement discretion" and reasons for it, the agency said. Brokers must transmit all post-release transactions to ACE immediately once their systems are up and running, CBP said.

CBP is still required to collect interest on liquidated damages, and it can be done through a voluntary tender from the importer or through CBP’s “usual administrative processes” if no voluntary tender is submitted, the agency said. Each affected importer of record and its surety will be notified and encouraged to pay the unpaid debt. Interest will accrue until the debt is paid, CBP said.