Via electronic submission

Director Jen Easterly
Cybersecurity and Infrastructure Security Agency
Department of Homeland Security

Re: Docket ID CISA-2022-0010, Request for Information on the Cyber Incident Reporting for Critical Infrastructure Act of 2022

Dear Director Easterly:

The Bank Policy Institute (“BPI”), American Bankers Association (“ABA”), Institute of International Bankers (“IIB”), and Securities Industry and Financial Markets Association (“SIFMA”) (together, “the Associations”)1 appreciate the invitation to contribute comments to the Cybersecurity and Infrastructure Security Agency’s (“CISA”) request for information (“RFI”) on the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”) requirement to develop regulations related to critical infrastructure cyber incident reporting.

The Associations applaud CISA’s early and frequent communications signaling an intent to work with critical infrastructure entities to craft an effective rule and welcome the efforts evident through this engagement and ongoing public listening sessions. We share a mutual commitment to cybersecurity and the value in sharing threat and incident information, and support efforts to fortify CISA as a leader in this space while minimizing the shared burden to actively defending critical infrastructure systems. The financial services sector is one of the few critical infrastructure sectors that has had mandatory cybersecurity and incident reporting requirements in law and regulation for over 20 years. In addition to a long history of complying with a variety of cybersecurity and incident reporting requirements, the financial services sector has been voluntarily sharing cyber threat information when appropriate and in accordance with relevant legal authorities, with the Federal Bureau of Investigation (“FBI”), the U.S. Secret Service, and Department of Homeland Security (“DHS”), to facilitate the federal government’s interdiction of malicious cyber activity. The Associations also share information when appropriate with a wide range of partners via the Financial Services Information Sharing and Analysis Center (“FS-ISAC”), which shares cyber threat information and best practices among nearly 7,000 members across the globe, including 4,600 U.S. financial institutions. The FS-ISAC was one of the first ISACs created in 1999 and is widely recognized as the gold-standard that other sectors have worked to replicate.

 

1 BPI is a nonpartisan group representing the nation’s leading banks. BPI members include universal banks, regional banks, and the major foreign banks doing business in the United States. Collectively, BPI members hold $10.7 trillion in deposits in the United States; make 68% of all loans, including trillions of dollars in funding for small businesses and household mortgages, credit cards, and auto loans; employ nearly two million Americans and serve as a principal engine for the nation’s financial innovation and economic growth. Business, Innovation, Technology and Security (“BITS”), BPI’s technology policy division, provides an executive-level forum to discuss and promote current and emerging technology, foster innovation, reduce fraud, and improve cybersecurity and risk management practices for the financial sector.

The ABA is the voice of the nation’s $23.7 trillion banking industry, which is composed of small, regional, and large banks that together employ more than 2 million people, safeguard $19.6 trillion in deposits, and extend $11.8 trillion in loans.

IIB represents internationally headquartered financial institutions from over thirty-five countries around the world doing business in the United States. Its members consist principally of international banks that conduct U.S. operations through branches and agencies, bank subsidiaries, and broker-dealer subsidiaries. The mission of the IIB is to help resolve the many special legislative, regulatory, and tax issues confronting internationally headquartered financial institutions that engage in banking, securities and/or insurance activities in the United States.

SIFMA is the leading trade association for broker-dealers, investment banks and asset managers operating in the U.S. and global capital markets. On behalf of our industry’s one million employees, we advocate on legislation, regulation and business policy affecting retail and institutional investors, equity and fixed income markets and related products and services. We serve as an industry coordinating body to promote fair and orderly markets, informed regulatory compliance, and efficient market operations and resiliency. We also provide a forum for industry policy and professional development. SIFMA, with offices in New York and Washington, D.C., is the U.S. regional member of the Global Financial Markets Association (GFMA)