June 28, 2024

Submitted via CISA Comments Portal

Director Jen Easterly
Cybersecurity and Infrastructure Security Agency
Department of Homeland Security

Re:  Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) Reporting Requirements

Dear Director Easterly,

The American Bankers Association (the “ABA”),¹ Bank Policy Institute (the “BPI”),² Institute of International Bankers (the “IIB”),³ and the Securities Industry and Financial Markets Association (“SIFMA”)⁴ (together, “the Associations”) appreciate the opportunity to comment on the Cybersecurity & Infrastructure Security Agency’s (“CISA” or the “Agency”) rule proposal on the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the “Proposal” or “Proposed Rule”) on behalf of the financial services industry.

The Associations recognize the benefits of sharing threat intelligence and incident information that will enable CISA to provide valuable tools and information to help defend the nation’s critical infrastructure.  The Associations appreciate CISA’s objective to introduce clearly defined reporting requirements that will support trend analysis, vulnerability identification, provision of early warnings, and other key national security purposes.

However, the Proposal extends beyond the authorities granted to it under the statute and departs substantially from what Congress intended when it enacted CIRCIA.  At that time, Congress was careful to note that CIRCIA sought to strike “a balance between getting information quickly and letting victims respond to an attack without imposing burdensome requirements.”⁵ Congress also reiterated that CIRCIA should be implemented “in a way that accounts for the practical needs of industry.”⁶ The Proposed Rule falls short of these critical considerations.

The Proposal itself requires reporting of more detailed and expansive data elements than observed in any of the current cyber regulatory reporting requirements, thereby prioritizing routine government reporting over more critical and impactful response and remediation work and potentially increasing operational risks.  The proposed reporting requirements essentially mean that Congress’s intention to create a “substantially similar” exception for reporting to other regulators was simply ignored.  Congress clearly envisioned more limited reporting given that Congress believes there would be some exempted reporting due to existing regulations.  In addition, provisions in the proposed substantial cyber incident definition create an unnecessarily low threshold for reporting, which will likely cause a flood of reports on low-risk incidents that will provide limited value to the government but will be a great cost to the reporting entities.  Providing the requested information will divert attention from incident response teams during the most consequential phase of an incident.  The Proposed Rule will, in its current form, also add overly burdensome obligations to an already sizeable incident reporting compliance apparatus.⁷

There are areas where CISA can enhance the Proposed Rule to allow for reporting requirements that support CISA’s stated goals without creating overly burdensome reporting obligations during the critical early stages of incident response.  As described further below, we respectfully offer the following recommendations for further revision.

• Refine the applicability of the Proposed Rule and the scope of reportable incidents to focus on substantial incidents that impact critical services and harmonize with existing regulations.
• Refine and limit the proposed reporting requirements to information directly related to an actionable purpose, such as detecting signs of a widespread vulnerability, so CISA can provide early alerts to critical infrastructure sectors. Narrowing reporting requirements in this way would be consistent with Congress’s intent that some existing reporting requirements be captured by CIRCIA’s “substantially similar” exception.  CISA should also ensure that covered entities are able to exercise the substantially similar exception by publishing guidance on data sharing agreements.⁸
• Clarify and reduce the supplemental reporting requirements applicable to covered entities.
• Reduce the recordkeeping burden for incident information.

We hope that this feedback will help CISA refine the Proposed Rule’s reporting requirements in a way that provides critical infrastructure entities with timely and actionable information that will make a meaningful difference in a coordinated cyber incident response.

1. The American Bankers Association is the voice of the nation’s $24 trillion banking industry, which is composed of small, regional, and large banks that together employ approximately 2.1 million people, safeguard $19 trillion in deposits, and extend $12.4 trillion in loans. [↩]
2. The Bank Policy Institute is a nonpartisan public policy, research, and advocacy group that represents universal banks, regional banks, and the major foreign banks doing business in the United States.  The Institute produces academic research and analysis on regulatory and monetary policy topics, analyzes and comments on proposed regulations, and represents the financial services industry with respect to cybersecurity, fraud, and other information security issues.  Business, Innovation, Technology and Security (“BITS”), BPI’s technology policy division, provides an executive-level forum to discuss and promote current and emerging technology, foster innovation, reduce fraud, and improve cybersecurity and risk management practices for the financial sector. [↩]
3. The IIB represents the U.S. operations of internationally headquartered financial institutions from more than 35 countries around the world.  The membership consists principally of international banks that operate branches, agencies, bank subsidiaries, and broker-dealer subsidiaries in the United States.  The IIB works to ensure a level playing field for these institutions, which are an important source of credit for U.S. borrowers and comprise the majority of U.S. primary dealers. [↩]
4. SIFMA is the leading trade association for broker-dealers, investment banks, and asset managers operating in the U.S. and global capital markets.  On behalf of our industry’s one million employees, we advocate on legislation, regulation, and business policy affecting retail and institutional investors, equity and fixed income markets, and related products and services.  We serve as an industry-coordinating body to promote fair and orderly markets, informed regulatory compliance, and efficient market operations and resiliency.  We also provide a forum for industry policy and professional development.  SIFMA, with offices in New York and Washington, D.C., is the U.S. regional member of the Global Financial Markets Association (“GFMA”). [↩]
5. Press Release, U.S. Sen. Homeland Sec. Comm., Peters & Portman Landmark Provision Requiring Critical Infrastructure to Report Cyber-Attacks Signed into Law as Part of the Funding Bill (Mar. 15, 2022), https://www.hsgac.senate.gov/media/dems/peters-and-portman-landmark-provision-requiring-critical-infrastructure-to-report-cyber-attacks-signed-into-law-as-part-of-funding-bill/. [↩]
6. Press Release, U.S. H. Comm. on Homeland Sec., Clarke, Thompson, Katko, Garbarino Introduce Bipartisan Cyber Incident Reporting Legislation (Oct. 1, 2021), https://democrats-homeland.house.gov/news/legislation/clarke-thompson-katko-garbarino-introduce-bipartisan-cyber-incident-reporting-legislation-. [↩]
7. The Associations’ members already, or will soon be required to, comply with a number of cyber incident reporting obligations on the federal, state, and international levels.  See, e.g., 12 CFR § 53.3; 12 CFR § 225; 12 CFR § 304 [hereinafter, collectively, the US Interagency Cybersecurity Notification Requirement]; 17 CFR § 229.106; 23 NYCRR § 500 [hereinafter NYDFS Part 500]; EU Regulation 2022/2554 [hereinafter Digital Operation Resilience Act (“DORA”)]; U.S. Dep’t Hous. & Urb. Dev., Mortgagee Letter 2024-10 (May 23, 2024).  There are also a number of pending rules from the Securities and Exchange Commission (“SEC”) that would require cybersecurity incident reporting, including the proposed Cybersecurity Risk Management Rule for Broker-Dealers, Clearing Agencies, Major Security-Based Swap Participants, the Municipal Securities Rulemaking Board, National Securities Associations, National Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers, and Transfer Agents, Release No. 34–97142, 88 Fed. Reg. 20212 (proposed Apr. 5, 2023) [hereinafter Rule 10 Proposal]. [↩]
8. U.S. S. Comm. on Homeland Sec. and Gov’t Affs., Cyber Incident Reporting for Critical Infrastructure Act, at 1 (Dec. 17, 2021), https://www.hsgac.senate.gov/wp-content/uploads/imo/media/doc/Overview%20of%20Cyber%20Incident%20Reporting%20Legislation.pdf (saying CIRCIA “exempts entities that already have to report to another Federal agency from also having to report to CISA.”). [↩]