A coalition of financial trade associations has called on the Cybersecurity and Infrastructure Security Agency (CISA) to reconsider its proposed cyber incident reporting rule. The rule is intended to implement the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). The group, which includes the Bank Policy Institute, American Bankers Association, Institute of International Bankers, and Securities Industry and Financial Markets Association, argues that the proposal deviates from congressional intent and places unnecessary burdens on institutions.
"We believe the proposed rule will have significant and detrimental repercussions if not substantially revised," the Associations stated. They urged CISA to collaborate with industry stakeholders to create a new rule that allows companies to prioritize responding to attacks over filing reports.
CIRCIA was enacted in March 2022 with bipartisan support to enhance cyber incident reporting without imposing undue burdens. However, some congressional leaders now express concerns about CISA's proposed rule exceeding its mandate:
"The NPRM ignores the burden to industry by asserting that technology will process the amount of information it requests... [The proposal would] undoubtedly skyrocket[] compliance work and clashes with congressional intent," said Rep. Andrew Garbarino (R-NY).
"The NPRM appears to, at times, mischaracterize or dismiss Congressional intent," noted Reps. Bennie Thompson (D-MS), Yvette Clarke (D-NY), and Eric Swalwell (D-CA).
"[I]t is very important that the regulation is well-crafted and reflects both Congressional intent and the public’s recommendations. As currently written, I have concerns that the effect of this proposed rule fails to hit this mark," commented Sen. Gary Peters (D-MI).
The associations advocate for several changes in implementing this rule:
- Limit reporting scope to significant incidents affecting critical services.
- Focus data collection on actionable information needed to prevent contagion.
- Clarify supplemental reporting requirements for covered entities.
- Reduce time firms must retain forensic data.
For further details, a copy of the letter can be accessed through their respective contacts: Austin Anton at Bank Policy Institute, Sarah Grano at American Bankers Association, Garrett Hawkins at Institute of International Bankers, and Katrina Cavalli at Securities Industry and Financial Markets Association.