Washington, D.C. — A coalition of financial trade associations today urged the Cybersecurity and Infrastructure Security Agency to rescind and reissue its proposed cyber incident reporting rule to implement the Cyber Incident Reporting for Critical Infrastructure Act. The groups — including the Bank Policy Institute, American Bankers Association, Institute of International Bankers and the Securities Industry and Financial Markets Association — warn that the proposed rule diverges from congressional intent, imposes unnecessary burdens and shifts critical cybersecurity resources away from defending institutions and their customers.

“We believe the proposed rule will have significant and detrimental repercussions if not substantially revised,” the Associations wrote. “As such, we ask that you work with industry to craft a new rule that allows a victim company to focus its resources on responding to an attack rather than filing government reports.”

What They’re Saying:

CIRCIA, signed into law in March 2022, was championed by bipartisan lawmakers to strengthen cyber incident reporting without creating undue burdens. However, key congressional leaders now express concern that CISA’s proposed rule exceeds its mandate:

• “The NPRM ignores the burden to industry by asserting that technology will process the amount of information it requests . . . [The proposal would] undoubtedly skyrocket[] compliance work and clashes with congressional intent.” – Rep. Andrew Garbarino (R-NY)
• “The NPRM appears to, at times, mischaracterize or dismiss Congressional intent” – Reps. Bennie Thompson (D-MS), Yvette Clarke (D-NY), and Eric Swalwell (D-CA)
• “[I]t is very important that the regulation is well-crafted and reflects both Congressional intent and the public’s recommendations.  As currently written, I have concerns that the effect of this proposed rule fails to hit this mark.”  – Sen. Gary Peters (D-MI)

What are the associations requesting?

As the Associations have previously advocated, the successful implementation of this rule must account for the following:

• Limit the scope of reporting to what matters most. The current scope is too broad and risks overwhelming regulators with irrelevant data. Instead, limit reporting to substantial incidents that affect critical services. Moreover, CISA should clarify that the reporting requirements only apply to the U.S. operations of financial institutions and would not apply if an incident occurs entirely outside of the United States.
• Focus data collection on what companies “need to know” to prevent contagion. The information collected should be based on actionable information that could be shared with other companies to protect the economy and prevent the exploitation of similar vulnerabilities.
• Clarify and reduce the supplemental reporting requirements applicable to covered entities. Regular status updates are important, however, requiring constant reports is not useful and ties up critical response resources.
• Reduce the amount of time firms are required to keep forensic data. CISA should shorten the time that financial institutions are required to save data so they aren’t forced to incur expenses for data that may no longer be necessary.

To access a copy of the letter, please click here.