In
The report from the accountability office condenses and revisits some of its recent findings about efforts from the Office of the National Cyber Director, Department of Homeland Security and U.S. Treasury to bring conflicting regulations into alignment.
One example of the current disharmony in cybersecurity regulations relates to data breach disclosure notification rules, which vary by state and are not preempted by one overriding federal law. For example, each state has a different timeline that governs how quickly a company that suffers a data breach must notify the state's attorney general about it — usually between 45 and 90 days of determining the scope of the breach.
In its Wednesday report, the accountability office revisited an
That 2020 analysis concluded with two recommendations: that the Treasury track the content and progress of sector-wide cyber risk mitigation efforts, and that it update the sector-specific plan to include metrics for measuring progress on these efforts.
In comments provided for the 2020 report, the Treasury generally agreed with the two recommendations but said it had limited authority to implement them.
For example, the Treasury said that requests to firms to provide metrics about their progress toward sector-wide cybersecurity goals would create concern among the firms that the information provided could be released in response to Freedom of Information Act, or FOIA, requests. While the information that firms share about specific data breaches are specifically disqualified from disclosure via FOIA requests, metrics about firms' progress toward meeting cybersecurity standards are not so clearly disqualified.
In its report released Wednesday, the accountability office said the two recommendations to Treasury "remain open."
The report touches on other harmonization efforts. For example, Congress and the president passed the
Rules around what, when, and to whom a bank must report in the wake of a data breach remain a key point of regulatory friction. Some hope a new federal office could help.
For the most part, the report concluded, these efforts remain incomplete. The incident reporting act in particular still has months to go before getting finalized. Just this week, the
Those rules provide new insights into how the Cybersecurity and Infrastructure Security Agency — which is in charge of enforcing most of the cyber incident reporting act — will assess the substantiality of a cybersecurity incident. However, the rules lack some of the objective standards some existing rules have. For example, the proposed rules do not set a threshold for how many people must be affected by a data breach before a company must report that breach to the agency.
To clarify the standards that determine whether a cybersecurity incident must be reported, in September 2023, the Department of Homeland Security released a report with eight recommendations that the federal government could adopt. One recommendation was for the federal government to come up with "model definitions" of reportable cyber incidents, reporting timelines and reporting triggers, which the report recommended Congress then adopt to eliminate barriers to harmonization.
Some people outside government have been critical of government efforts they call contrary to the harmonization efforts. For example, the Bank Policy Institute has criticized the Securities and Exchange Commission for a recently adopted rule that requires publicly traded companies to disclose significant cybersecurity incidents to shareholders within four days of determining such an event is significant.
Having a single set of generally accepted cybersecurity incident rules would reduce costs to banks, but software industry leaders say this would serve their interests, too.
The current state of affairs in federal cybersecurity regulations is "a complex web of competing priorities where rules aren't just duplicative but create confusion and contradict one another," according to Heather Hogsett, senior vice president of technology and risk strategy for BITS, which is the Bank Policy Institute's technology policy division. Hogsett submitted the remarks for a Wednesday hearing of the U.S. Senate Committee on Homeland Security and Governmental Affairs.
"The most glaring example" of this complexity, Hogsett said, is the SEC's cyber incident disclosure rule, which she said "undermines congressionally mandated efforts to improve cyber incident response."
The accountability office's Wednesday report concludes that as work continues on efforts to harmonize cybersecurity reporting regulations, "it is vital that the stakeholders involved in this process remain focused on resolving the conflicts, inconsistencies, and redundancies" in the current rules. Following through on the specific plans created to further these efforts "are essential to achieving harmonization," the report states.