06/28/2024 | Press release | Distributed by Public on 06/28/2024 08:18
ABA, BPI, IIB and SIFMA comment on shortfalls of CIRCIA proposal
Washington, D.C. - The American Bankers Association, Bank Policy Institute, Institute of International Bankers and the Securities Industry and Financial Markets Association raised serious concerns today in a letter to the Cybersecurity and Infrastructure Security Agency on its plan to implement new cyber incident reporting laws. The proposed rule would require victims of cyber incidents, like a data breach or other attack, to report to CISA within 72 hours of determining that an incident has occurred.
"Congress directed CISA to create a rule that gives regulators timely intelligence without diverting front-line defenders from the immediate task of stopping the attack," the Associations commented upon filing the letter. "CISA has thus far failed to strike that balance, disregarded congressional intent and risks straining the U.S. financial system's cyber defenses. Significant changes must be made for this proposal to be useful to regulators and industry; otherwise, CISA is moving forward with another requirement that prioritizes routine government reporting over the security needs of firms."
The proposal is in response to the Cyber Incident Reporting for Critical Infrastructure Act, which financial institutions supported when it became law in March 2022. CISA engaged in a series of listening sessions following CIRCIA's passage, and the Department of Homeland Security also issued its own set of recommendations identifying 45 different reporting requirements across the federal government, each with disparate standards and thresholds, that warrant greater harmonization. However, the proposal does not adequately address these shortcomings.
Our recommendations:
CISA should make the following changes to better align with the CIRCIA statute and achieve a more coordinated and effective cyber incident response:
To access a copy of the letter, please click here.
###
The Bank Policy Institute is a nonpartisan public policy, research and advocacy group that represents universal banks, regional banks and the major foreign banks doing business in the United States. The Institute produces academic research and analysis on regulatory and monetary policy topics, analyzes and comments on proposed regulations, and represents the financial services industry with respect to cybersecurity, fraud, and other information security issues.