ABA, trade groups comment on proposed cyber incident reporting regulation

The American Bankers Association and three financial industry trade groups on Monday called for the Cybersecurity and Infrastructure Security Agency to prioritize cyber incident reporting requirements that are accessible, functional and simple and to carefully weigh the type and volume of data collected so that it remains useful to prevent systemic vulnerabilities and combat bad actors.

CISA recently requested public comment on developing regulations related to critical infrastructure cyber incident reporting, as mandated by the Cyber Incident Reporting for Critical Infrastructure Act. In their letter, the groups encouraged the agency to focus on incidents where there is actual harm to a covered entity. They also called on CISA to develop clear principles regarding how the government will store and secure reports about cyberattacks and other incidents. They also urged CISA to create a staggered reporting requirement that includes notification of the immediately known details of the incident within 72 hours; to adopt the findings of the Cyber Incident Reporting Council—where permitted—to reduce the burden on businesses and other entities by advancing common standards for incident reporting; and to work with domestic and international authorities to create a common reporting format.