Heather Hogsett Calls for Substantial Changes to Cyber Incident Reporting Rule

Hogsett testifies before House Subcommittee on CISA proposal to implement CIRCIA

Washington, D.C. – Heather Hogsett, BPI senior vice president, technology and risk strategy for BITS, will testify today on the implementation of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Her remarks, delivered before the U.S. House Subcommittee on Cybersecurity and Infrastructure Protection, call for substantial changes to the proposed rule to increase its utility to government and industry.

What we’re saying:

Heather Hogsett stated:

“CISA should rewrite its proposed rule to avoid collecting more data than necessary and requiring cyber defenders to spend their time filing reports rather than protecting America’s financial system. Reporting for the sake of reporting without timely and actionable alerts is counterproductive for banks and a missed opportunity to strengthen national security. Fixing these problems and addressing the SEC’s harmful cyber incident disclosure rule would go a long way toward protecting the financial system and helping U.S. banks stay ahead of emerging threats.”

Our recommendations:

  • CISA should raise the bar for what must be reported. Over-reporting is counterproductive because it inundates front-line defenders with compliance tasks, distracts them from their ability to respond to significant cyber threats and overwhelms CISA with data that isn’t necessary or useful.
  • Good data in should also mean good data out. CISA needs to develop the capabilities to analyze and interpret the data it receives so that it can share timely and relevant information with industry to help mitigate threats.
  • Data reported to CISA must be protected and shared with care. CISA should clarify how it will protect the sensitive data it will collect to ensure it is not a target of attackers and should develop policies for how data will be shared among other relevant agencies.
  • Congress should urge the SEC to fix its harmful incident disclosure rule. The Securities and Exchange Commission’s cyber incident disclosure rule undermines the purpose of CIRCIA by publicizing a company’s vulnerabilities while CISA is still working to warn other potential victims and prevent further harm. Requiring companies to prematurely disclose threats to the public, sometimes before the problem is even fixed, risks exposing the company to additional harm and increases the risk of contagion across sectors.

To access a copy of the testimony, please click here.

###

About Bank Policy Institute.

The Bank Policy Institute is a nonpartisan public policy, research and advocacy group that represents universal banks, regional banks and the major foreign banks doing business in the United States. The Institute produces academic research and analysis on regulatory and monetary policy topics, analyzes and comments on proposed regulations, and represents the financial services industry with respect to cybersecurity, fraud, and other information security issues.

Media Contact

Austin Anton
Bank Policy Institute
austin.anton@bpi.com

Media Inquiry

  • This field is for validation purposes and should be left unchanged.