Banking industry associations call for changes to proposed cyber incident reporting rules

The Securities Industry and Financial Markets Association (SIFMA), the leading industry association for broker-dealers, investment banks and asset managers, and three other banking industry associations on Friday criticized a rule proposed by the federal government on reporting cyber incidents.

SIFMA, along with the American Bankers Association, the Bank Policy Institute and the Institute of International Bankers, called on the Cybersecurity and Infrastructure Security Agency (CISA) to amend its proposed rule. The rule would require victims of cyber incidents, such as data breaches or other attacks, to report to CISA within 72 hours of becoming aware of the incident.

“Congress directed CISA to create a rule that provides timely information to regulators without distracting front-line defenders from the immediate task of stopping the attack,” the associations wrote in a June 28 letter to CISA Director Jen Easterly. “CISA has so far failed to strike this balance, disregarded Congressional intent, and risked overwhelming the cyber defenses of the U.S. financial system.”

Industry associations pointed out that “significant changes” were needed for this proposal to be beneficial to regulators and industry.

“Otherwise,” they wrote, “CISA is pushing forward another requirement that requires routine government reporting on companies’ security needs.”

CISA’s proposed rule implements the Cyber ​​Incident Reporting for Critical Infrastructure Act, a 2022 law that regulates banks’ reporting obligations for cybersecurity incidents.

Industry associations say the proposal would create “overly burdensome obligations” for banks when responding to cyber incidents.

Currently, CISA is conducting a series of hearings following the passage of the law. The agency responsible, the U.S. Department of Homeland Security, has also issued a series of recommendations that list 45 different reporting requirements for the federal government, each with different standards and thresholds.

SIFMA and the other signatories of the letter made several recommendations on how they believe CISA should address the changes to better align with the law and achieve a more coordinated and effective response to cyber incidents.

For example, they suggested that CISA should limit the scope of reporting to what is essential, because the current scope is too broad and could overburden regulators with irrelevant data.

Instead, CISA should limit reporting to significant incidents affecting critical services and clarify that the reporting requirement applies only to U.S. business activities of financial institutions and not when an incident occurs entirely outside the United States.

They also noted that CISA should focus data collection on what companies “need to know” to prevent contagion. The information collected should be based on actionable intelligence that could be shared with other companies to protect the economy and prevent exploitation of similar vulnerabilities, their letter said.

In addition, CISA should clarify and reduce the additional reporting requirements for affected companies, they wrote, noting that while regular status updates are important, requiring constant reporting is not useful and ties up important response resources.

Finally, the groups wrote that CISA should shorten the deadlines within which financial institutions must retain data so that they are not forced to incur costs for data they may no longer need.

“We hope this feedback will help CISA refine the reporting requirements of the proposed rule to provide critical infrastructure entities with timely, actionable information that will make a meaningful difference in a coordinated response to cyber incidents,” the groups wrote.