A proposed rule requiring financial institutions and other “critical infrastructure” businesses to report cyber incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency “departs significantly” from what Congress intended when it passed the reporting law, the American Bankers Association and three other associations said today.
The proposed CISA rulemaking would implement the Cyber Incident Reporting for Critical Infrastructure Act, or CIRCIA, of 2022, which establishes reporting requirements for all critical infrastructure in the economy, including financial services. Under the proposal, regulated financial institutions and other critical infrastructure sectors would be required to report to the Department of Homeland Security or CISA significant cyber incidents within 72 hours as well as any ransomware payments within 24 hours.
“Congress directed CISA to create a rule that gives regulators timely intelligence without diverting front-line defenders from the immediate task of stopping the attack,” the associations said in a statement. “CISA has thus far failed to strike that balance, disregarded congressional intent and risks straining the U.S. financial system’s cyber defenses. Significant changes must be made for this proposal to be useful to regulators and industry; otherwise, CISA is moving forward with another requirement that prioritizes routine government reporting over the security needs of firms.”
The associations proposed a series of changes to improve the rulemaking, including limiting the scope of reporting to what matters most, focusing data collection on what companies “need to know” to prevent contagion, clarifying and reducing the supplemental reporting requirements applicable to covered entities, and reducing the amount of time firms are required to keep forensic data.
