X

Associations Criticize CISA Proposal on Cyber Incident Reporting

In comments on the Cybersecurity and Infrastructure Security Agency ("CISA") proposal to implement the Cyber Incident Reporting for Critical Infrastructure Act of 2022 ("CIRCA"), the American Bankers Association, Bank Policy Institute, Institute of International Bankers and SIFMA ("the Associations") recommended substantial changes to limit the scope of reportable incidents and reduce undue reporting burdens.

CIRCA mandates organizations that are subject to cyber incidents to report security incidents to CISA within 72 hours of determining that an incident has occurred.

The Associations recommended:

  • Limiting the Scope of Reportable Incidents. The Associations argued that the "scope of reportable incidents should be limited to those likely to result in substantial harm to critical infrastructure services." They recommended that (i)"the definition of substantial cyber incident should be limited to cyber incidents that affect the entity's critical infrastructure sector operations" and (ii) the "substantial cyber incident" definition should have a higher threshold.
  • Focusing Data Collection on a "Need-to-Know." The Associations expressed concern that the proposed rule would create "an unduly burdensome reporting requirement that would divert key resources away from important work during the critical stages of a covered entity’s incident response."
  • Clarifying and Reducing Supplemental Reporting. The Associations said that "CISA should clarify triggers and the timeline for supplemental reporting to avoid burdensome overreporting" as cybersecurity incidents often evolve rapidly and constant updates may prove to be an over-complication to the process.
  • Reducing the Amount of Time Firms Keep Forensic Data. The Associations recommended that CISA should shorten the recordkeeping period and provide flexibility for record storage "to one year to account for the operational burden and cost of holding voluminous forensics data for two years" or allow covered entities to delete stored data in a phased approach.

Primary Sources

  1. ABA, BPA, IIB, SIFMA: Comment: Re: Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) Reporting Requirements
  2. SIFMA: Press Release: CISA Misses Mark on Proposed Cyber Reporting Rule

Tags

Regulated Activities
Data Protection / Cybersecurity
Body of Law
Banking Law Securities Law
Jurisdiction
US - Federal
Organization
Trade / Industry Associations
Sub-Author
American Bankers Assoc., Bank Policy Institute, Institute of International Bankers, SIFMA