Banking trade groups call for changes to proposed cyber incident reporting rule

The Securities Industry and Financial Markets Association (SIFMA), the leading trade association for broker-dealers, investment banks and asset managers, and three other banking trade groups on Friday criticized a federally proposed cyber incident reporting rule.

© Shutterstock

SIFMA, along with the American Bankers Association, the Bank Policy Institute, and the Institute of International Bankers, urged the Cybersecurity and Infrastructure Security Agency (CISA) to change its proposed rule. The rule would require victims of cyber incidents, like a data breach or other attack, to report to CISA within 72 hours of determining that an incident has occurred.

“Congress directed CISA to create a rule that gives regulators timely intelligence without diverting front-line defenders from the immediate task of stopping the attack,” the associations wrote in a June 28 letter sent to CISA Director Jen Easterly. “CISA has thus far failed to strike that balance, disregarded congressional intent, and risks straining the U.S. financial system’s cyber defenses.”

The trade groups noted that “significant changes” must be made for this proposal to be useful to regulators and the industry.

“Otherwise,” they wrote, “CISA is moving forward with another requirement that prioritizes routine government reporting over the security needs of firms.”

The CISA’s proposed rule is designed to implement the Cyber Incident Reporting for Critical Infrastructure Act, a 2022 law that governs banks’ cybersecurity incident reporting requirements.

The trade groups say the proposal would create “overly burdensome obligations” for banks when responding to cyber incidents.

Currently, CISA is holding a series of listening sessions following the law’s passage. Its governing agency, the U.S. Department of Homeland Security, has also issued a set of recommendations identifying 45 different reporting requirements across the federal government, each with disparate standards and thresholds.

SIFMA and the other letter signers made several recommendations regarding how they think CISA should address changes to better align with the law’s statute and to achieve a more coordinated and effective cyber incident response.

For instance, they suggested that CISA limit the scope of reporting to what matters most, saying that the current scope is too broad and risks overwhelming regulators with irrelevant data. 

Instead, they say, CISA should limit reporting to substantial incidents that affect critical services and clarify that the reporting requirements only apply to the U.S. operations of financial institutions and would not apply if an incident occurs entirely outside the United States.

They also commented that CISA should focus data collection on what companies “need to know” to prevent contagion. The information collected should be based on actionable information that could be shared with other companies to protect the economy and prevent the exploitation of similar vulnerabilities, according to their letter.

CISA also should clarify and reduce the supplemental reporting requirements applicable to covered entities, they wrote, noting that while regular status updates are important, requiring constant reports is not useful and ties up critical response resources.

Finally, the groups wrote that CISA should shorten the time that financial institutions are required to save data so they aren’t forced to incur expenses for data that may no longer be necessary.

“We hope that this feedback will help CISA refine the proposed rule’s reporting requirements in a way that provides critical infrastructure entities with timely and actionable information that will make a meaningful difference in a coordinated cyber incident response,” the groups wrote.