Banking Associations Call for Proposed Cyber Incident Rule to Be Withdrawn

A coalition of banking associations has urged the Cybersecurity and Infrastructure Security Agency (CISA) to withdraw and reissue its proposed cyber incident reporting rule.

The Bank Policy Institute, American Bankers Association, Institute of International Bankers and the Securities Industry and Financial Markets Association have warned the Cyber Incident Reporting for Critical Infrastructure Act places an unnecessary burden on institutions and shifts critical cybersecurity resources away from defending institutions and their customers.

The rule, which was signed into law in March 2022, requires reporting and other measures to address cybersecurity incidents, including ransomware attacks.

Under the rule, entities that own or operate critical infrastructure must report cybersecurity incidents within specified time frames, while other entities may voluntarily report incidents.

Although reporting of covered cyber incidents and ransomware payments will not be required until the final rule takes effect, CISA encourages all entities to voluntarily share information on cyber incidents with the agency before the final rule's effective date.

The law aims to strengthen the nation’s cybersecurity by enabling CISA to quickly deploy resources, analyze incoming reports and share information with network defenders.

However, the coalition argued that the current scope of the rule is too broad and could overwhelm regulators with irrelevant data. Therefore, it recommended narrowing the reporting requirements to focus on significant incidents that impact critical services.

The coalition also urged CISA to focus on collecting data that helps companies prevent incidents from spreading. It suggested gathering useful information that can be shared with other companies to protect the economy and avoid similar vulnerabilities.

It also asked the agency to clarify and reduce the additional reporting requirements for covered entities. While acknowledging that regular status updates are important, it argued that constant reporting is unnecessary and ties up critical response resources.