The American Bankers Association, Bank Policy Institute, Institute of International Bankers and the Securities Industry and Financial Markets Association raised serious concerns today in a letter to the Cybersecurity & Infrastructure Security Agency on its plan to implement new cyber incident reporting laws. The proposed rule would require victims of cyber incidents, like a data breach or other attack, to report to CISA within 72 hours of determining that an incident has occurred.
“Congress directed CISA to create a rule that gives regulators timely intelligence without diverting front-line defenders from the immediate task of stopping the attack,” the Associations commented upon filing the letter. “CISA has thus far failed to strike that balance, disregarded congressional intent and risks straining the U.S. financial system’s cyber defenses. Significant changes must be made for this proposal to be useful to regulators and industry; otherwise, CISA is moving forward with another requirement that prioritizes routine government reporting over the security needs of firms.”
The proposal is in response to the Cyber Incident Reporting for Critical Infrastructure Act, which financial institutions supported when it became law in March 2022. CISA engaged in a series of listening sessions following CIRCIA’s passage, and the Department of Homeland Security also issued its own set of recommendations identifying 45 different reporting requirements across the federal government, each with disparate standards and thresholds, that warrant greater harmonization. However, the proposal does not adequately address these shortcomings.
Our recommendations:
CISA should address the following changes to better align with the CIRCIA statute and achieve a more coordinated and effective cyber incident response:
- Limit the scope of reporting to what matters most. The current scope is too broad and risks overwhelming regulators with irrelevant data. Instead, limit reporting to substantial incidents that affect critical services. Moreover, CISA should clarify that the reporting requirements only apply to the U.S. operations of financial institutions and would not apply if an incident occurs entirely outside of the United States.
- Focus data collection on what companies “need to know” to prevent contagion. The information collected should be based on actionable information that could be shared with other companies to protect the economy and prevent the exploitation of similar vulnerabilities.
- Clarify and reduce the supplemental reporting requirements applicable to covered entities. Regular status updates are important, however, requiring constant reports is not useful and ties up critical response resources.
- Reduce the amount of time firms are required to keep forensic data. CISA should shorten the time that financial institutions are required to save data so they aren’t forced to incur expenses for data that may no longer be necessary.
