ABA, Trade Groups Raise Concerns about Cybersecurity Reporting Legislation

In a joint letter to Senate Intelligence Committee leaders today, ABA and two financial trade groups said that several provisions in the Cyber Incident Notification Act of 2021 conflict with cybersecurity requirements already in place for financial institutions. ABA and the groups urged that any new requirements for reporting, oversight and enforcement be harmonized with existing regulatory requirements.

The timeline for reporting a cybersecurity incident should also be extended to 72 hours from 24 hours—as currently written in the bill—the groups said. The longer deadline would allow institutions to provide more accurate reports, given that firms have limited information on an event within the first 24-36 hours, they noted.

The groups also requested that the scope of reporting be reduced to events that cause actual harm. Reporting of “potential incidents” would create near-constant reporting to Cybersecurity and Infrastructure Security Agency by financial services firms based on the number of incidents those firms see on a daily basis, the groups wrote.

Additionally, they asked that a mechanism be developed to notify a critical infrastructure entity when an incident affects a federal system holding the entity’s sensitive data. “Should a federal agency experience a cyber-incident affecting the operations and security of systems holding sensitive private sector data, notifying the private entity would allow institutions to take proactive measures to mitigate potential attacks,” the groups said.