A coalition of financial trade associations urged the Cybersecurity and Infrastructure Security Agency to revise proposed cyber incident reporting rules to implement the Cyber Incident Reporting for Critical Infrastructure Act.
The groups, which includes the Bank Policy Institute, the American Bankers Association, the Institute of International Bankers and the Securities Industry and Financial Markets Association – said the rule as proposed diverges from congressional intent and imposes unnecessary burdens on institutions and their customers. Additionally, the group said, it shifts cybersecurity resources away from defending the institutions and the customers it was designed to protect.
“We believe the proposed rule will have significant and detrimental repercussions if not substantially revised,” the associations wrote. “As such, we ask that you work with industry to craft a new rule that allows a victim company to focus its resources on responding to an attack rather than filing government reports.”
In a letter to U.S. Department of Homeland Security Secretary Kristi Noem, and to U.S. U.S. Office of Management & Budget Director Russell Vought, the group asked that the rule limit the scope of reporting, saying the current scope is overly broad and risks overwhelming regulators; that data collection focuses on what companies need to know; and that reporting requirements be clarified and reduced. The group also requested that the revised regulation reduce the amount of time firms are required to keep forensic data.