Banks, Telecom and Electric Sectors Call for Changes to CIRCIA

Dear Director Easterly:

The undersigned organizations appreciate the opportunity to provide comments in response to the Cybersecurity and Infrastructure Security Agency’s (CISA) Notice of Proposed Rulemaking (NPRM) pursuant to the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The communications sector, electricity subsector, and financial services sector represent some of the most sophisticated critical infrastructure owners and operators across the United States and there is real concern that even the most mature sectors will be operationally challenged by the proposed rule if it is finalized as is. This burden will divert critical security resources at a time when “the People’s Republic of China’s targeting of our critical infrastructure is both broad and unrelenting.”[1] Therefore, we encourage CISA to limit the scope and raise the threshold for incident reporting by amending the definition of a substantial cyber incident in the final rule.

CIRCIA marks a historic shift in federal cyber incident reporting and has an important goal of identifying and mitigating cyber risk across all sectors of the economy. The CIRCIA authorizing committees left many of the definitions to the rulemaking process to allow for industry input, including the definition of a substantial cyber incident. Each of our sectors is grateful for the chance to partner with CISA to focus the scope and scale of this definition in a way that prioritizes both security and operational continuity.

CISA should limit the scope of the substantial cyber incident definition to better align with the intent of Congress. During a House Committee on Homeland Security hearing in which the Bank Policy Institute, Edison Electric Institute, and USTelecom provided testimony, the lead sponsor of the CIRCIA legislation, Congresswoman Yvette Clarke, said, “our intent was that reporting requirements would be appropriately tailored to limit overreporting and ensure that CIRCIA ultimately yields the security benefits we intended…we did not intend to subject everyone or every incident to reporting.”[2] We believe CISA significantly underestimates the volume of reports it would receive under the proposed rule as currently drafted. As such, CISA should narrow the scope of reporting requirements to truly impactful incidents so that we can separate signal from noise and glean meaningful insights that address real risks. This may help CISA prioritize resources and mitigations for those incidents meeting that higher threshold.

Cyber incident reporting can help government and industry identify trends and systemic risk across sectors, but it also has the potential to divert resources from improving cybersecurity outcomes to compliance. CISA should raise the threshold for the substantial cyber incident definition to enhance reporting efficiency and security outcomes. The National Security Memorandum on Critical Infrastructure Security and Resilience (NSM-22) designates 16 critical infrastructure sectors whose “physical and virtual assets, systems, and networks are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health and safety.”[3] Of these 16 sectors, the communications, electricity, and financial services sectors provide some of the most important functions to supporting a strong national economy and preserving national security. For decades, the owners and operators of these critical services have played an important role in incident response. Given that experience, our sectors strongly recommend that CISA limit the substantial cyber incident definition to incidents directly impacting the operational capabilities of the critical infrastructure entity, as determined by the owners and operators, and only where such operational capabilities fall within congressional intent.

In addition to amending the substantial cyber incident definition, our sectors agree that CISA should work to harmonize federal cyber incident reporting requirements, reduce the data elements and data preservation requirements, and protect all information submitted under CIRCIA.

Each of us is committed to working with both public and private partners across all sectors to comply with incident reporting requirements in a way that prioritizes and enhances critical infrastructure security. We look forward to working with CISA to further refine the substantial cyber incident definition and implement the final rule.

Sincerely,

American Bankers Association
American Public Power Association
Bank Policy Institute
Edison Electric Institute
National Rural Electric Cooperative Association NTCA–
The Rural Broadband Association
Securities Industry and Financial Markets Association
USTelecom – The Broadband Association


[1] FBI Director Christopher Wray, Vanderbilt Summit on Modern Conflict and Emerging Threats, FBI.GOV, April 18, 2024, https://www.fbi.gov/news/stories/chinese-government-poses-broad-and-unrelenting-threat-to-u-s-critical- infrastructure-fbi-director-says.

[2] Surveying CIRCIA: Sector Perspectives on the Notice of Proposed Rulemaking, HOMELAND.HOUSE.GOV, May 1, 2024, https://homeland.house.gov/hearing/surveying-circia-sector-perspectives-on-the-notice-of-proposed- rulemaking/.

[3]

National Security Memorandum on Critical Infrastructure Security and Resilience, WHITEHOUSE.GOV, April 30,

2024, https://www.whitehouse.gov/briefing-room/presidential-actions/2024/04/30/national-security-memorandum- on-critical-infrastructure-security-and-resilience/.