ABA, BPI, IIB and SIFMA comment on shortfalls of CIRCIA proposal

 Washington, D.C., June 28, 2024 – The American Bankers Association, Bank Policy Institute, Institute of International Bankers and the Securities Industry and Financial Markets Association raised serious concerns today in a letter to the Cybersecurity & Infrastructure Security Agency on its plan to implement new cyber incident reporting laws. The proposed rule would require victims of cyber incidents, like a data breach or other attack, to report to CISA within 72 hours of determining that an incident has occurred.

“Congress directed CISA to create a rule that gives regulators timely intelligence without diverting front-line defenders from the immediate task of stopping the attack,” the Associations commented upon filing the letter. “CISA has thus far failed to strike that balance, disregarded congressional intent and risks straining the U.S. financial system’s cyber defenses. Significant changes must be made for this proposal to be useful to regulators and industry; otherwise, CISA is moving forward with another requirement that prioritizes routine government reporting over the security needs of firms.”

The proposal is in response to the Cyber Incident Reporting for Critical Infrastructure Act, which financial institutions supported when it became law in March 2022. CISA engaged in a series of listening sessions following CIRCIA’s passage, and the Department of Homeland Security also issued its own set of recommendations identifying 45 different reporting requirements across the federal government, each with disparate standards and thresholds, that warrant greater harmonization. However, the proposal does not adequately address these shortcomings.

Our recommendations:

CISA should address the following changes to better align with the CIRCIA statute and achieve a more coordinated and effective cyber incident response:

• Limit the scope of reporting to what matters most. The current scope is too broad and risks overwhelming regulators with irrelevant data. Instead, limit reporting to substantial incidents that affect critical services. Moreover, CISA should clarify that the reporting requirements only apply to the U.S. operations of financial institutions and would not apply if an incident occurs entirely outside of the United States.
• Focus data collection on what companies “need to know” to prevent contagion. The information collected should be based on actionable information that could be shared with other companies to protect the economy and prevent the exploitation of similar vulnerabilities.
• Clarify and reduce the supplemental reporting requirements applicable to covered entities. Regular status updates are important, however, requiring constant reports is not useful and ties up critical response resources.
• Reduce the amount of time firms are required to keep forensic data. CISA should shorten the time that financial institutions are required to save data so they aren’t forced to incur expenses for data that may no longer be necessary.

-30-

About SIFMA

SIFMA is the leading trade association for broker-dealers, investment banks and asset managers operating in the U.S. and global capital markets. On behalf of our industry’s one million employees, we advocate on legislation, regulation and business policy affecting retail and institutional investors, equity and fixed income markets and related products and services. We serve as an industry coordinating body to promote fair and orderly markets, informed regulatory compliance, and efficient market operations and resiliency. We also provide a forum for industry policy and professional development.  SIFMA, with offices in New York and Washington, D.C., is the U.S. regional member of the Global Financial Markets Association (GFMA).

About the American Bankers Association

The American Bankers Association is the voice of the nation’s $24 trillion banking industry, which is composed of small, regional and large banks that together employ approximately 2.1 million people, safeguard $19 trillion in deposits and extend $12.4 trillion in loans.

About Bank Policy Institute

The Bank Policy Institute is a nonpartisan public policy, research and advocacy group that represents universal banks, regional banks and the major foreign banks doing business in the United States. The Institute produces academic research and analysis on regulatory and monetary policy topics, analyzes and comments on proposed regulations, and represents the financial services industry with respect to cybersecurity, fraud, and other information security issues.

About IIB

The Institute of International Bankers (IIB) represents the U.S. operations of internationally headquartered financial institutions from more than 35 countries around the world. The membership consists principally of international banks that operate branches, agencies, bank subsidiaries, and broker-dealer subsidiaries in the United States. The IIB works to ensure a level playing field for these institutions, which are an important source of credit for U.S. borrowers and comprise the majority of U.S. primary dealers. These institutions enhance the depth and liquidity of U.S. financial markets and contribute significantly to the U.S. economy through direct employment of U.S. citizens, as well as through other operating and capital expenditures.