Financial Trades Respond to CISA Request for Information on Cyber Incident Reporting

Dear Director Easterly:

The Bank Policy Institute (“BPI”), American Bankers Association (“ABA”), Institute of
International Bankers (“IIB”), and Securities Industry and Financial Markets Association (“SIFMA”)
(together, “the Associations”) [1] appreciate the invitation to contribute comments to the Cybersecurity and Infrastructure Security Agency’s (“CISA”) request for information (“RFI”) on the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”) requirement to develop regulations related to critical infrastructure cyber incident reporting.

The Associations applaud CISA’s early and frequent communications signaling an intent to work
with critical infrastructure entities to craft an effective rule and welcome the efforts evident through this engagement and ongoing public listening sessions. We share a mutual commitment to cybersecurity and the value in sharing threat and incident information, and support efforts to fortify CISA as a leader in this space while minimizing the shared burden to actively defending critical infrastructure systems. The financial services sector is one of the few critical infrastructure sectors that has had mandatory cybersecurity and incident reporting requirements in law and regulation for over 20 years. In addition to a long history of complying with a variety of cybersecurity and incident reporting requirements, the financial services sector has been voluntarily sharing cyber threat information when appropriate and in accordance with relevant legal authorities, with the Federal Bureau of Investigation (“FBI”), the U.S. Secret Service, and Department of Homeland Security (“DHS”), to facilitate the federal government’s interdiction of malicious cyber activity. The Associations also share information when appropriate with a wide range of partners via the Financial Services Information Sharing and Analysis Center (“FS-ISAC”), which shares cyber threat information and best practices among nearly 7,000 members across the globe, including 4,600 U.S. financial institutions. The FS-ISAC was one of the first ISACs created in 1999 and is widely recognized as the gold-standard that other sectors have worked to replicate.

We agree with CISA’s assertion that the proliferation of cyber incidents is one of the most critical economic and national security threats facing our nation. Effective visibility, awareness, and coordinated information sharing between the public and private sectorsis critical during a cyber incident, and reasonable incident reporting to government entities can help disrupt attackers and assist affected firms with protection, mitigation, and response. We understand that the ability to attribute cyber incidents to an entity or entities is key to supporting other important policy objectives including holding malicious actors accountable for their nefarious activities. However, there are multiple policy objectives at play across the incident reporting landscape, such as providing early warning with actionable information and voluntary supplemental information sharing as the incident unfolds. We urge CISA to recognize this as an opportunity to demonstrate needed leadership and ensure that where there are requirements for incident reporting, they are simple, tied to an actionable purpose and broadly useful.

As a critical infrastructure sector that regularly reports cyber incidents to a variety of financial
regulators, both domestic and international, the effectiveness of this rule largely depends on CISA requiring a high threshold of severity for the incidents required to be reported. Thousands of cyber events – system changes that may have an impact on organizational operations (including mission, capabilities or reputation)[2] – occur daily, and critical infrastructure entities are constantly monitoring and evaluating for signals of intensified or malicious events that may turn out to be precursors to serious cyber incidents. If the incident threshold is set too low, the amount of information reported will be so voluminous as to render the reporting exercise useless in the context of the CISA mission. It will also impose an unnecessary burden on companies that in many instances already have a sizeable cyber incident reporting compliance obligation in addition to their ongoing need to focus resources on critical network defense efforts.

We strongly believe that the cyber incident information required to be reported should be tightly
linked with an actionable purpose and would appreciate further clarity from CISA on how it will utilize the reported incident information in furtherance of that purpose. Additionally, we call on CISA to provide clear principles regarding how the reported information will be stored, secured and transmitted, both within the agency as well as shared with, or accessed by, other government entities and other covered entities. It is critical that CISA appropriately balances the need to get information into the right hands quickly without creating noise in the reporting channel that could be both a distraction for CISA and a burden to the cyber teams of covered entities. We hope that this feedback will help CISA develop workable reporting requirements that create confidence that the information required to be reported to CISA makes a
meaningful difference in a coordinated cyber incident response.

To read the full comment letter, click here, or click on the download button below.

[1] BPI is a nonpartisan group representing the nation’s leading banks. BPI members include universal banks, regional banks, and the major foreign banks doing business in the United States. Collectively, BPI members hold $10.7 trillion in deposits in the United States; make 68% of all loans, including trillions of dollars in funding for small businesses and household mortgages, credit cards, and auto loans; employ nearly two million Americans and serve as a principal engine for the nation’s financial innovation and economic growth. Business, Innovation, Technology and Security (“BITS”), BPI’s technology policy division, provides an executive-level forum to discuss and promote current and emerging technology, foster innovation, reduce fraud, and improve cybersecurity and risk management practices for the financial sector.

The ABA is the voice of the nation’s $23.7 trillion banking industry, which is composed of small, regional, and large banks that together employ more than 2 million people, safeguard $19.6 trillion in deposits, and extend $11.8 trillion in loans.

IIB represents internationally headquartered financial institutions from over thirty-five countries around the world doing business in the United States. Its members consist principally of international banks that conduct U.S. operations through branches and agencies, bank subsidiaries, and broker-dealer subsidiaries. The mission of the IIB is to help resolve the many special legislative, regulatory, and tax issues confronting internationally headquartered financial institutions that engage in banking, securities and/or insurance activities in the United States.

SIFMA is the leading trade association for broker-dealers, investment banks and asset managers operating in the U.S. and global capital markets. On behalf of our industry’s one million employees, we advocate on legislation, regulation and business policy affecting retail and institutional investors, equity and fixed income markets and related products and services. We serve as an industry coordinating body to promote fair and orderly markets, informed regulatory compliance, and efficient market operations and resiliency. We also provide a forum for industry policy and professional development. SIFMA, with offices in New York and Washington, D.C., is the U.S. regional member of the Global Financial Markets Association (GFMA)