- CBA on
- CBA Media
Joint Trades Comment Letter re Warner Rubio Collins CIR Bill
Dear Chairman Warner and Ranking Member Rubio,
In the wake of recent ransomware and other cybersecurity attacks, we appreciate your efforts to improve the resilience of federal agencies and private critical infrastructure, emphasizing the importance of public-private collaboration in this ongoing fight. The financial services sector shares your commitment to cybersecurity and the value in sharing threat and incident information and supports Congressional efforts to fortify the Cybersecurity and Infrastructure Security Agency (CISA) as a leader in this space. We have concerns, however, with several provisions within the Cyber Incident Notification Act of 2021, which we believe would, in practice, conflict with cybersecurity requirements already in place for financial institutions.
As Congress considers this legislation, we urge you to ensure that any new requirements for reporting, oversight and enforcement are harmonized with existing regulatory requirements for financial institutions – both to avoid confusion and also because those requirements have proven their worth over the years. Below are changes that we believe are necessary to achieve our shared goal of protecting the nation’s critical infrastructures:
1. Extend the timeline for reporting to 72 hours after confirmation an incident has occurred.
As drafted, the legislation requires the filing of a report within 24 hours of a cybersecurity incident. The initial stages of an incident response require “all hands on deck” to focus immediately on understanding the incident and implementing mitigation and response measures. Filing government reports would not only distract from that work but also result in reports that are premature and likely erroneous. Here it is important to distinguish between notification and a formal report. The European Union’s NIS Directive as well as the recent Notice of Proposed Rulemaking on Computer-Security Incident Notification Requirements from U.S. financial regulators recognize that within the first 24-36 hours, firms will have limited information on an event and thus call for a simple notification that a cyber incident of a sufficient materiality has occurred, with more detailed reporting to follow.
Extending the reporting timeline in the legislation to 72 hours after confirmation an incident has occurred would also be more consistent with the bill’s definition of a “cybersecurity intrusion” which includes incidents involving nation-states or advanced persistent threats – both of which firms would be unable to determine within a 24-hour period given the need for assistance and confirmation of attribution from federal agencies.
2. Narrow the scope of reporting to incidents causing actual harm.
The bill requires reporting of “potential incidents,” which would create near-constant reporting to CISA by financial services firms based on the number of incidents those firms see on a daily basis. Collecting information on potential incidents would add noise to the signal of material incidents, and thus overwhelm rather than enhance CISA’s analytical efforts. We recommend that the legislation require reporting of incidents that cause actual harm.
3. Ensure alignment with existing regulations and avoid duplication with Sector Risk Management Agencies (SRMA).
As you are aware, financial services firms are already subject to significant cyber reporting requirements.1 As drafted, the legislation requires reporting to both CISA and the SRMA. For the financial sector, U.S. Treasury serves as SRMA, but not as regulator as implied in the legislation. Primary regulators that would receive additional reporting include the Federal Reserve Board, the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, and the Securities and Exchange Commission, among others. We have no objection to reporting to CISA; however, we recommend that the legislation include a mandate for CISA to work with all the other regulatory agencies to develop a common reporting form and streamlined process that would be good for one and good for all. Otherwise, still more time will be spent by first responders working with firms’ legal and compliance teams to ensure that each agency’s requirement is met rather than focusing those efforts on protecting critical infrastructure.
4. Ensure the rulemaking process allows for meaningful dialogue with critical infrastructure.
The rulemaking process should include greater coordination and discussion with critical infrastructure, as many of the details around definitions, the scope of reporting, and specific requirements will be determined through this process. Getting these details right is essential, and the process would benefit from an initial 90-day consultation period with industry followed by a 90-day comment period.
5. Harmonize financial penalties for non-compliance with the existing regulatory framework.
The legislation includes penalties for firms that fail to report, and we agree that any requirement must come with an enforcement mechanism. Our concern is that financial services firms could be subject to multiple enforcement actions and multiple penalties for the same reporting violation. Here again, we would recommend that the legislation mandate that CISA coordinate any enforcement action and ensure that there are not duplicative penalties for the same conduct.
6. Develop mechanisms to notify a critical infrastructure entity when an incident affects a federal system holding the entity’s sensitive data.
Many government agencies and regulatory authorities hold sensitive financial institution data that, if breached, could pose risks to national security. Legislation should encourage bi-directional information sharing and greater collaboration between government and critical infrastructure. Should a federal agency experience a cyber incident affecting the operations and security of systems holding sensitive private sector data, notifying the private entity would allow institutions to take proactive measures to mitigate potential attacks.