Trade Associations Recommend Improvements to Cybersecurity Incident Reporting

The Bank Policy Institute, American Bankers Association, Institute of International Bankers and SIFMA (together, "the Associations") urged the Cybersecurity Infrastructure Security Agency ("CISA") to develop incident reporting requirements that are "simple, tied to an actionable purpose and broadly useful."

In a joint comment letter, the Associations said that implementing an effective incident reporting threshold is necessary. The Associations warned that too low a threshold would result in a deluge of minor reports, and too high a threshold may cause significant events to go unreported. The Associations argued that an incident does not need to originate from a major market participant to be significant to the market, and recommended that the reporting requirements hold all firms to the same standard and focus on the materiality of an incident rather than the reporting entity.

The Associations also encouraged the use of standardized language and a common reporting form to harmonize reporting requirements across industries and ease the reporting burden for affected entities. The Associations encouraged CISA to implement a staggered reporting approach requiring the most significant information to be reported within 72 hours of the incident and the remaining information provided on an ongoing basis. The Associations said that the 72-hour timeline would allow firms sufficient time to respond to the incident while also ensuring that it provides CISA with accurate and useful information in a timely manner.

The Associations also encouraged CISA to be fully transparent as to how it intended to use the information.