A group of banking industry associations responded to a request for information (RFI) by the Cybersecurity and Infrastructure Security Agency (CISA) on new cyber incident reporting requirements.
The coalition — which includes the Bank Policy Institute (BPI), American Bankers Association (ABA), Institute of International Bankers, and the Securities Industry and Financial Markets Association (SIFMA) – urged CISA to prioritize reporting requirements that are accessible, functional, and straightforward. They also asked CISA to carefully weigh the type and volume of data collected so that it remains useful to prevent systemic vulnerabilities and combat bad actors.
The proposed requirements were developed in line with the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). CIRCIA was signed into law as part of the omnibus spending bill in March 2022.
“Effective visibility, awareness, and coordinated information sharing between the public and private sectors are critical during a cyber incident, and reasonable incident reporting to government entities can help disrupt attackers and assist affected firms with protection, mitigation, and response,” the associations wrote in a letter to CISA officials. “We urge CISA to recognize this as an opportunity to demonstrate needed leadership and ensure that where there are requirements for incident reporting, they are simple, tied to an actionable purpose, and bidirectionally useful.”
The associations outlined several recommendations for CISA in the rulemaking process. They recommend that any information collected should be information that is needed; the criteria for reporting should be based on the incident’s circumstances and severity; the final rule should encourage timely, accurate reporting and should leave the door open for ongoing voluntary information sharing; the requirement to report should apply equally to critical and non-critical services in certain circumstances; CISA should clarify how the information will be stored, secured and transmitted; the final rule should be harmonized with other reporting requirements; and CISA should clarify liability protections for affected entities and rules for multinational entities.
The associations point out that while reporting requirements have applied to the financial services sector for over 20 years, these rules expand those requirements to the other 15 U.S. sectors designated as “critical infrastructure.” CIRCIA also designates CISA as a central authority to help aggregate and analyze data to help prevent the spread of cyber incidents to other entities or sectors.
CISA has hosted a series of public and private listening sessions across sectors to identify key priorities since the bill was passed last March. This RFI is now part of the early stages of the formal rulemaking process.