June 28, 2024
Submitted via CISA Comments Portal
Director Jen Easterly
Cybersecurity and Infrastructure Security Agency
Department of Homeland Security
Re: Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) Reporting Requirements
Dear Director Easterly,
The American Bankers Association (the “ABA”), Bank Policy Institute (the “BPI”), Institute of International Bankers (the “IIB”), and the Securities Industry and Financial Markets Association (“SIFMA”) (together, “the Associations”) appreciate the opportunity to comment on the Cybersecurity & Infrastructure Security Agency’s (“CISA” or the “Agency”) rule proposal on the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the “Proposal” or “Proposed Rule”) on behalf of the financial services industry.
The Associations recognize the benefits of sharing threat intelligence and incident information that will enable CISA to provide valuable tools and information to help defend the nation’s critical infrastructure. The Associations appreciate CISA’s objective to introduce clearly defined reporting requirements that will support trend analysis, vulnerability identification, provision of early warnings, and other key national security purposes.
However, the Proposal extends beyond the authorities granted to it under the statute and departs substantially from what Congress intended when it enacted CIRCIA. At that time, Congress was careful to note that CIRCIA sought to strike “a balance between getting information quickly and letting victims respond to an attack without imposing burdensome requirements.” Congress also reiterated that CIRCIA should be implemented “in a way that accounts for the practical needs of industry.” The Proposed Rule falls short of these critical considerations.
The Proposal itself requires reporting of more detailed and expansive data elements than observed in any of the current cyber regulatory reporting requirements, thereby prioritizing routine government reporting over more critical and impactful response and remediation work and potentially increasing operational risks. The proposed reporting requirements essentially mean that Congress’s intention to create a “substantially similar” exception for reporting to other regulators was simply ignored. Congress clearly envisioned more limited reporting given that Congress believes there would be some exempted reporting due to existing regulations. In addition, provisions in the proposed substantial cyber incident definition create an unnecessarily low threshold for reporting, which will likely cause a flood of reports on low-risk incidents that will provide limited value to the government but will be a great cost to the reporting entities. Providing the requested information will divert attention from incident response teams during the most consequential phase of an incident. The Proposed Rule will, in its current form, also add overly burdensome obligations to an already sizeable incident reporting compliance apparatus.
There are areas where CISA can enhance the Proposed Rule to allow for reporting requirements that support CISA’s stated goals without creating overly burdensome reporting obligations during the critical early stages of incident response. As described further below, we respectfully offer the following recommendations for further revision.
- Refine the applicability of the Proposed Rule and the scope of reportable incidents to focus on substantial incidents that impact critical services and harmonize with existing regulations.
- Refine and limit the proposed reporting requirements to information directly related to an actionable purpose, such as detecting signs of a widespread vulnerability, so CISA can provide early alerts to critical infrastructure sectors. Narrowing reporting requirements in this way would be consistent with Congress’s intent that some existing reporting requirements be captured by CIRCIA’s “substantially similar” exception. CISA should also ensure that covered entities are able to exercise the substantially similar exception by publishing guidance on data sharing agreements.
- Clarify and reduce the supplemental reporting requirements applicable to covered entities.
- Reduce the recordkeeping burden for incident information.
We hope that this feedback will help CISA refine the Proposed Rule’s reporting requirements in a way that provides critical infrastructure entities with timely and actionable information that will make a meaningful difference in a coordinated cyber incident response.