BPI, ABA, IIB and SIFMA respond to CISA request for information
Washington, D.C. – The Bank Policy Institute, American Bankers Association, Institute of International Bankers and the Securities Industry and Financial Markets Association responded late yesterday to a Cybersecurity and Infrastructure Security Agency (CISA) request for information on new cyber incident reporting requirements, established by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The associations urged CISA to prioritize reporting requirements that are accessible, functional and simple and to carefully weigh the type and volume of data collected so that it remains useful to prevent systemic vulnerabilities and combat bad actors.
“Effective visibility, awareness and coordinated information sharing between the public and private sectors are critical during a cyber incident, and reasonable incident reporting to government entities can help disrupt attackers and assist affected firms with protection, mitigation, and response,” the associations wrote. “We urge CISA to recognize this as an opportunity to demonstrate needed leadership and ensure that where there are requirements for incident reporting, they are simple, tied to an actionable purpose and bidirectionally useful.”
What are the associations requesting?
The associations request that CISA consider the following recommendations as part of the rulemaking process:
- Any information collected should be information that is needed. Collecting too much, or overly broad, information reduces the usefulness of the data and burdens both CISA and the reporting entity.
- The criteria for reporting should be based on the incident’s circumstances and severity. Only incidents that are severe and threatening (i.e., have malicious intent) should require a report. Entities should not be required to report technology outages or other service-related interruptions that, while inconvenient, do not pose systemic threats.
- The final rule should encourage timely, accurate reporting and should leave the door open for ongoing voluntary information sharing. Reporting should be staggered to ensure that information is timely, useful and accurate. Reports containing high-level details within 72 hours should be expected, but supplemental updates should be optional based on internal discretion. This eliminates reporting for the sake of reporting when no major updates are available, without precluding real-time collaboration between CISA and the affected entity.
- The requirement to report should apply equally to critical and non-critical services in certain circumstances. Many technology providers like cloud services and data aggregators have access to large amounts of sensitive data. Requiring reporting only from critical infrastructure sectors ignores the incident’s materiality and the possible systemic risks.
- CISA should clarify how information will be stored, secured and transmitted. It should also indicate how data will be shared among governmental entities and other covered entities.
- Reports should be accepted through a range of channels. Incident reports should be accepted by both electronic and non-electronic means so that information can be shared even during system outages.
- The final rule should be harmonized with other reporting requirements. The new rule should consider requirements already in place such as the recent Computer Security Incident Notification Rule issued by the three federal banking agencies and should adopt the findings of the Cyber Incident Reporting Council.
- CISA should clarify liability protections for affected entities, and rules for multinational entities. Reporting entities should be encouraged to proactively report without fear of penalty or reputational harm, and multinational entities with a U.S. presence should have a clear understanding of how to handle cyber incidents that occur outside of U.S. jurisdiction.
CIRCIA was signed into law as part of the omnibus spending bill in March 2022. Since March, CISA has hosted a series of public and private listening sessions across sectors to identify key priorities before undertaking the formal rulemaking process. The request for information is part of the early stages of that process.
While reporting requirements have applied to the financial services sector for over 20 years, these rules expand those requirements to the other 15 U.S. sectors designated as “critical infrastructure.” The law also designates CISA as a central authority to help aggregate and analyze data to help prevent the spread of cyber incidents to other entities or sectors.
To access a copy of the joint response, please click here.
About Bank Policy Institute.
The Bank Policy Institute (BPI) is a nonpartisan public policy, research and advocacy group, representing the nation’s leading banks and their customers. Our members include universal banks, regional banks and the major foreign banks doing business in the United States. Collectively, they employ almost 2 million Americans, make nearly half of the nation’s small business loans, and are an engine for financial innovation and economic growth.