Washington, D.C. – The Bank Policy Institute, American Bankers Association, Institute of International Bankers and the Securities Industry and Financial Markets Association responded late yesterday to a Cybersecurity and Infrastructure Security Agency (CISA) request for information on new cyber incident reporting requirements, established by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The associations urged CISA to prioritize reporting requirements that are accessible, functional and simple and to carefully weigh the type and volume of data collected so that it remains useful to prevent systemic vulnerabilities and combat bad actors.

“Effective visibility, awareness and coordinated information sharing between the public and private sectors are critical during a cyber incident, and reasonable incident reporting to government entities can help disrupt attackers and assist affected firms with protection, mitigation, and response,” the associations wrote. “We urge CISA to recognize this as an opportunity to demonstrate needed leadership and ensure that where there are requirements for incident reporting, they are simple, tied to an actionable purpose and bidirectionally useful.”

What are the associations requesting?

The associations request that CISA consider the following recommendations as part of the rulemaking process:

• Any information collected should be information that is needed. Collecting too much, or overly broad, information reduces the usefulness of the data and burdens both CISA and the reporting entity.
• The criteria for reporting should be based on the incident’s circumstances and severity. Only incidents that are severe and threatening (i.e., have malicious intent) should require a report. Entities should not be required to report technology outages or other service-related interruptions that, while inconvenient, do not pose systemic threats.
• The final rule should encourage timely, accurate reporting and should leave the door open for ongoing voluntary information sharing. Reporting should be staggered to ensure that information is timely, useful and accurate. Reports containing high-level details within 72 hours should be expected, but supplemental updates should be optional based on internal discretion. This eliminates reporting for the sake of reporting when no major updates are available, without precluding real-time collaboration between CISA and the affected entity.
• The requirement to report should apply equally to critical and non-critical services in certain circumstances. Many technology providers like cloud services and data aggregators have access to large amounts of sensitive data. Requiring reporting only from critical infrastructure sectors ignores the incident’s materiality and the possible systemic risks.
• CISA should clarify how information will be stored, secured and transmitted. It should also indicate how data will be shared among governmental entities and other covered entities.
• Reports should be accepted through a range of channels. Incident reports should be accepted by both electronic and non-electronic means so that information can be shared even during system outages.
• The final rule should be harmonized with other reporting requirements. The new rule should consider requirements already in place such as the recent Computer Security Incident Notification Rule issued by the three federal banking agencies and should adopt the findings of the Cyber Incident Reporting Council.
• CISA should clarify liability protections for affected entities, and rules for multinational entities. Reporting entities should be encouraged to proactively report without fear of penalty or reputational harm, and multinational entities with a U.S. presence should have a clear understanding of how to handle cyber incidents that occur outside of U.S. jurisdiction.

CIRCIA was signed into law as part of the omnibus spending bill in March 2022. Since March, CISA has hosted a series of public and private listening sessions across sectors to identify key priorities before undertaking the formal rulemaking process. The request for information is part of the early stages of that process.

While reporting requirements have applied to the financial services sector for over 20 years, these rules expand those requirements to the other 15 U.S. sectors designated as “critical infrastructure.” The law also designates CISA as a central authority to help aggregate and analyze data to help prevent the spread of cyber incidents to other entities or sectors.

To access a copy of the joint response, please click here.

###

Media Contacts:
Sarah Grano
American Bankers Association
[email protected]

Austin Anton
Bank Policy Institute
[email protected]

Meghan Milloy
Institute of International Bankers
[email protected]

Katrina Cavalli
SIFMA
[email protected]

About Bank Policy Institute.

The Bank Policy Institute (BPI) is a nonpartisan public policy, research and advocacy group, representing the nation’s leading banks and their customers. Our members include universal banks, regional banks and the major foreign banks doing business in the United States. Collectively, they employ almost 2 million Americans, make nearly half of the nation’s small business loans, and are an engine for financial innovation and economic growth.

About the American Bankers Association.

The American Bankers Association is the voice of the nation’s $23.7 trillion banking industry, which is composed of small, regional and large banks that together employ more than 2 million people, safeguard nearly $19.6 trillion in deposits and extend $11.8 trillion in loans.

About the Institute of International Bankers.

The Institute of International Bankers (IIB) represents internationally headquartered financial institutions from over thirty-five countries around the world doing business in the United States. Its members consist principally of international banks that conduct U.S. operations through branches and agencies, bank subsidiaries, and broker-dealer subsidiaries. The mission of the IIB is to help resolve the many special legislative, regulatory, and tax issues confronting internationally headquartered financial institutions that engage in banking, securities, and/or insurance activities in the United States.

About Securities Industry and Financial Markets Association.

SIFMA is the leading trade association for broker-dealers, investment banks and asset managers operating in the U.S. and global capital markets. On behalf of our industry’s one million employees, we advocate on legislation, regulation and business policy affecting retail and institutional investors, equity and fixed income markets and related products and services. We serve as an industry coordinating body to promote fair and orderly markets, informed regulatory compliance, and efficient market operations and resiliency. We also provide a forum for industry policy and professional development. SIFMA, with offices in New York and Washington, D.C., is the U.S. regional member of the Global Financial Markets Association (GFMA). For more information, visit http://www.sifma.org.