It's not just bankers who want to see cyber rules harmonized

As a growing number of state and federal regulators come out with their own rules about how companies should respond to cybersecurity incidents, bankers have asked that these new regulations align with each other so that, when their teams scramble to respond, they can spend more time securing their systems and less time worrying about compliance.

Bankers are not alone in making this ask. Leaders in cybersecurity and the software industry, which serve as key vendors to banks, also want harmonization for their own reasons.

In testimony before the House Subcommittee on Cybersecurity and Infrastructure Protection, Drew Bagley, the vice president and counsel for privacy and cyber policy at cybersecurity firm CrowdStrike, recommended that regulators harmonize reporting regulations to the greatest extent possible.

Bagley said that each of the many new and proposed rules on cyber incident reporting are "well-intended," but take place simultaneously and with different stakeholders, meaning the potential downside is "burdensome, distracting and costly compliance obligations without additional security gains." The antidote, he said, is "muscular harmonization efforts."

During the hearing last week, Heather Hogsett, a senior leader of the Bank Policy Institute's technology policy division, reiterated her organization's recommendation that the Cybersecurity and Infrastructure Security Agency (CISA) focus on harmonizing cyber incident reporting rules.

BPI supported a bipartisan law passed last year that requires companies in any of the nation's 16 critical infrastructure sectors to quickly report ransomware payments and cyber incidents to CISA. The law directs the agency to finalize rules implementing it by the end of 2025.

BPI framed the law at the time as an opportunity for CISA to establish one rule to harmonize the multiple, sometimes conflicting requirements that banks already face from prudential regulators and other federal agencies.

Cyber security

7 data breach reporting rules banks need to understand

Several federal agencies have recently stepped up requirements on banks to notify regulators and the public when they fall victim to cybersecurity incidents.

By Carter Pape

May 19

Hogsett specifically called out a proposed rule from the Securities and Exchange Commission, which is expected to be finalized next month, that would require publicly traded companies to report cybersecurity incidents on an 8-K filing within four days of the incident.

Hogsett said during her testimony that this rule would "undermine" the work of CISA and other regulators, in part because those notifications are public rather than merely shared with and between government agencies.

Compliance with these rules can also be costly for banks, which spend 40% of their cybersecurity budgets on compliance, according to the Cyber Risk Institute. Hogsett made a similar claim in her testimony, saying BPI members spend 30% to 40% of the time allocated to cybersecurity on compliance matters.

Other groups have also expressed support for harmonizing cyber incident rules, including a trade group that represents the interests of business software vendors, the Software Alliance. In its 2023 Global Cyber Agenda, the Software Alliance (formerly the Business Software Alliance, or BSA) highlighted "harmonizing laws and policies within and between governments" as one of its five priorities.

As a federal advisory commission considered recommendations last month that CISA take up the mantle of cyber incident harmonization, Henry Young, director of policy for the Software Alliance, reiterated this guidance. Harmonization reduces software makers' concern over compliance obligations, and aligning policies with standards "helps to build trust in software," Young said.

"Certainly, the notion of CISA driving a single, harmonized rule-making process across the federal government is attractive," said Eric Wenger, senior director for technology policy at Cisco, "but there is a flaw with this argument because CISA has no authority over independent federal agencies. Among federal agencies, CISA has a unique cybersecurity-oriented mandate. It can singularly focus on targeted information sharing that will balance the cost of generating reports on victims with the benefit to the security ecosystem from timely reporting requirements. CISA can develop rules for incident reporting that are laser focused on improving cybersecurity and are not reliant on the reporting standards established and followed by other federal regulatory agencies."

The risk in focusing on harmonization is that in the name of achieving a single, unified reporting standard, CISA might then be required to accept the terms demanded by other agencies, which may have a different focus than CISA's focus on improving the nation's cybersecurity.

After a federal advisory committee recommended putting CISA in charge of harmonizing cybersecurity rules, Stephen Lilley, a member of the cybersecurity and data privacy practice at law firm Mayer Brown, offered another critique: Doing so may undermine the agency by making it more politicized.

"One of the great strengths of CISA has been its focus on security, and it's been able to advance goals that everybody shares," Lilley said. "Once you get into regulation, politics tends to get a bit more pronounced."