BPI’s Heather Hogsett testifies before U.S. House Subcommittee on Cybersecurity, Infrastructure Protection and Innovation on cyber incident reporting
Washington D.C. — Today, Heather Hogsett, Senior Vice President of Technology and Risk Strategy for BITS, the technology policy division of the Bank Policy Institute, will testify before the U.S. House Subcommittee on Cybersecurity, Infrastructure Protection and Innovation. The goal of the hearing is to engage stakeholders on a legislative proposal that would create additional reporting and notification requirements for critical infrastructure sectors, including banks, during a cyber event.
“We greatly appreciate the Committee’s leadership to address the nation’s cybersecurity challenges and efforts to improve the resilience of critical infrastructure,” stated Hogsett in her submitted testimony. “We share a mutual commitment to cybersecurity and the value in sharing threat and incident information, and support efforts to fortify CISA as a leader in this space.”
Banks have been complying with a long list of federal and state legal and regulatory requirements for cybersecurity and incident reporting for over 20 years, which Hogsett catalogs in her testimony, and are active contributors to numerous public-private information-sharing and collaboration initiatives. The financial services sector was the first industry to establish an information sharing and analysis center in 1999, as well as a sector coordinating council shortly thereafter — efforts that have served as a model for other sectors. Hogsett commends the Committee for addressing the following five elements in its discussion draft and emphasizes that these recommendations are critical to achieving a shared goal of protecting the nation’s critical infrastructure.
- Scope –Required reporting must focus on incidents that could cause actual harm, which will ensure CISA receives accurate and useful data. Approaches which seek to mandate reporting of “potential” incidents are too broad and would lead to over-reporting that is insufficiently focused on the actual risks.
- Timeline – Reporting no earlier than 72 hours after confirmation an incident has occurred strikes the right balance to allow sufficient time for investigation and implementation of remediation and response measures while reporting timely and useful information to CISA.
- Harmonization – New reporting requirements must be harmonized with existing laws and regulations to ensure implementation avoids unnecessary duplication and establishes a streamlined process for all required reporting.
- Maintain Protections and Definitions in the Cybersecurity and Information Sharing Act of 2015 (CISA Act) – Any bill in Congress that seeks to mandate cyber information sharing should incorporate the key definitions and protections already created by the CISA Act for private firms sharing information with government.
- Helping Companies Understand if Their Data has Been Compromised – Government agencies who are attacked should be required to notify critical infrastructure entities when their sensitive information may be compromised.
To access a directory of existing incident reporting laws that apply to banks, please click here. To learn more about existing information-sharing and collaboration efforts, please click here.
About Bank Policy Institute.
The Bank Policy Institute (BPI) is a nonpartisan public policy, research and advocacy group, representing the nation’s leading banks and their customers. Our members include universal banks, regional banks and the major foreign banks doing business in the United States. Collectively, they employ almost 2 million Americans, make nearly half of the nation’s small business loans, and are an engine for financial innovation and economic growth.
Bank Policy Institute