The American Bankers Association, Bank Policy Institute, Institute of International Bankers, and the Securities Industry and Financial Markets Association raised serious concerns today in a letter to the Cybersecurity and Infrastructure Security Agency (CISA) regarding its plan to implement new cyber incident reporting laws. The proposed rule would require victims of cyber incidents, such as data breaches or other attacks, to report to CISA within 72 hours of determining that an incident has occurred.
“Congress directed CISA to create a rule that gives regulators timely intelligence without diverting front-line defenders from the immediate task of stopping the attack,” the Associations commented upon filing the letter. “CISA has thus far failed to strike that balance, disregarded congressional intent and risks straining the U.S. financial system’s cyber defenses. Significant changes must be made for this proposal to be useful to regulators and industry; otherwise, CISA is moving forward with another requirement that prioritizes routine government reporting over the security needs of firms.”
The proposal responds to the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), which financial institutions supported when it became law in March 2022. Following CIRCIA’s passage, CISA engaged in a series of listening sessions, and the Department of Homeland Security issued recommendations identifying 45 different reporting requirements across the federal government that warrant greater harmonization. However, according to these associations, the proposal does not adequately address these shortcomings.
Their recommendations include:
1. Limiting the scope of reporting to substantial incidents affecting critical services only.
2. Clarifying that reporting requirements apply solely to U.S. operations.
3. Focusing data collection on actionable information needed by companies.
4. Reducing supplemental reporting requirements for covered entities.
5. Shortening the time required for firms to retain forensic data.
The Bank Policy Institute describes itself as a nonpartisan public policy group representing universal banks, regional banks, and major foreign banks operating in the United States.
For further details or access to a copy of their letter:
- Austin Anton at Bank Policy Institute: austin.anton@bpi.com
- Sarah Grano at American Bankers Association: sgrano@aba.com
- Garrett Hawkins at Institute of International Bankers: ghawkins@iib.org
- Katrina Cavalli at Securities Industry and Financial Markets Association: kcavalli@sifma.org