Bankers, payments industry groups and many other financial services industry leaders are largely aligned on the changes they believe must be made to proposed regulations that would affect how firms across industries report cybersecurity incidents.
The proposed rules come from the Cybersecurity and Infrastructure Security Agency, or CISA, which is implementing the Cyber Incident Reporting for Critical Infrastructure Act of 2022, or CIRCIA. That act governs banks, dam operators, electrical grid operators and other firms that operate the nation's critical infrastructure
The act requires these firms to report substantial cybersecurity incidents within 72 hours of identifying the severity of the incident, and it gives them 24 hours to report ransomware payments. The act left ambiguous the implementation details, leaving it to CISA to propose rules and regulations. In April, the agency
CISA originally set a June 3 deadline for the public to officially comment on the proposed regulations. Following
As
In addition to
CLS Bank International , a multicurrency cash settlement firm that processes payment instructions with an average value of $5 trillion per day, in 17 currencies.AgFirst Farm Credit Bank , one of the four banks in the Farm Credit System, with $44.3 billion in total assets.CoBank , the largest of the four banks in the Farm Credit System, with $190 billion in total assets.- The
Farm Credit Council , a network of the borrower-owned cooperative lending institutions that make up the Farm Credit System, including CoBank and AgFirst. Independent Community Bankers of America , a trade group representing more than 1,200 community banks.The Clearing House Payments Company , which owns and operates the ACH network.- The
Financial Services Sector Coordinating Council , whose more than 70 members include banking trade organizations and many of the nation's largest banks. - The
Institute of International Finance , a 400-member group spanning 80 countries representing the global financial services industry. - The
National Association of State Credit Union Supervisors , which represents credit unions and 45 state governmental agencies that charter, regulate and examine state-chartered credit unions. - The
Payments Leadership Council , which consists of American Express, Discover, FIS, Fiserv, Mastercard and Visa. - The
Depository Trust & Clearing Corporation , a financial market infrastructure company that processes trillions of dollars of securities transactions daily.
Additionally, American Banker also analyzed
Here are the most common points raised by commenters in the financial services industry:
A higher threshold for reporting
The most common complaint was that the proposed definition of "substantial cyber incident" is overly broad and would lead banks, credit unions and payments companies to report low-risk events to CISA that would not justify the reporting costs.
In its letter, the Independent Community Bankers of America said the criteria for what constitutes a substantial cyber incident is "vague and potentially overly broad."
"This criterion could encompass a wide range of issues that may not typically be critical and could lead to incidents being reported that do not meet the intended threshold," the trade group said.
The Payments Leadership Council articulated a slight variation, requesting that CISA prioritize high-risk events rather than focus solely on all cyber incidents at high-risk entities.
"The proposed rule requires high-risk entities to report all cyber incidents which could lead to inefficiencies," the Payments Leadership Council said. "Since all industries are susceptible to cyber attacks, if CISA focuses its resources on small incidents of these prominent firms it could be ignoring the larger incidents in industries deemed of lesser risk."
Harmonization with existing regulations
The second most common comment requested CISA introduce harmonized reporting standards with consistent definitions and thresholds to reduce both regulatory compliance risks and cybersecurity risks.
Some commenters, including The Clearing House, also requested CISA coordinate with other federal agencies to develop information-sharing arrangements that would permit entities to report information to one central location and rely on the federal government to share between federal agencies as appropriate.
"Harmonized standards would facilitate quicker reporting of material incidents to relevant federal agencies, which would ultimately strengthen national and economic security," The Clearing House said.
The National Association of State Credit Union Supervisors made a similar request about state and territorial supervisory agencies. The association's comment about harmonization was one of only two high-level points of feedback it offered. Specifically, the association requested CISA work to minimize "the burden of duplicative reporting" to agencies beyond the federal level.
"We would like to stress the necessity of including the state and territorial supervisory agencies in any harmonization efforts undertaken," the association's letter reads. "Currently, there are both federal and state cyber-related reporting requirements at play within the financial services sector."
Applicability to noncritical operations
Many commenters requested that reporting requirements implemented by CISA focus solely on incidents that impact the critical operations of covered entities such as banks, rather than all the entities' operations. This, commenters argued, would ensure a focus on protecting national security and critical infrastructure.
These comments tended to overlap with requests to reduce the overall threshold a cyber incident must meet before it must be reported. The Institute of International Finance, for instance, requested the definition of substantial cyber incident be narrowed to only cover those having "substantial impacts on critical services or processes."
However, the institute also specified that the entities covered by the reporting regulations "should be limited to those that perform a critical function." More specifically, the proposed rule suggests that the definition of a covered entity would apply at the group or holding company level, which the institute criticized.
"We believe that CISA should consider separately each entity in a corporate group and avoid an interpretation that would result in defining as a covered entity the parent organization or holding company as a result of one or more of its subsidiaries or affiliates being deemed a covered entity," the institute wrote.
Data security and discoverability
Several comments stress the importance of stringent measures to protect the confidentiality and integrity of the reported information, both from unauthorized access but also against requests made through the Freedom of Information Act, or FOIA.
The comments highlighted the need for reassurance around data protection to maintain trust and collaboration between industry and government. The Financial Services Sector Coordinating Council mentioned this.
"In particular, CISA should designate all agency systems containing CIRCIA reports as High Value Assets in accordance with Office of Management and Budget guidance," the council wrote. "Such a designation offers a more consistent way to protect this information commensurate with the risk environment."
The Farm Credit Council said that, while the proposed rule exempts incident reports from disclosure under FOIA, the reports do not get the same level of protection that, for example, Suspicious Activity Reports, or SARs, get.
"If a system institution or other regulated entity were required to submit a cyber incident report to CISA, then the report and the information provided by the reporting entity should receive at least the same level of the protections afforded under other laws and authorities and not less, especially when the report is made to an entity other than its prudential regulator," the council said.
Protecting incident reports at the same level as SARs "would encourage prompt and comprehensive reporting," the council said, and avoid exposing the reporting entity to "significant risk of harm."
A narrower definition of "substantial cybersecurity incident"
Many commenters complained that CISA's proposed guidelines and definitions of what constitutes a "substantial cybersecurity incident" were overly broad, creating not just a potential problem of too much reporting but also a lack of clarity regarding what incidents exactly banks need to report.
Some commenters provided specific suggestions on how to hone the definition of "substantial cyber incident" to minimize ambiguity, but none to a greater extent than the Depository Trust & Clearing Corporation, or DTCC, which dedicated seven pages to suggestions on how to modify the proposed five-prong definition from CISA.
One example of a problem the corporation highlighted is that the proposed regulation creates an expectation that a cyber incident that causes any level of disruption to business operations would be reportable, including the reporting of those that lead to minor disruptions, DTCC said.
This threshold is so low, according to DTCC, that a bank would even have to report a cyber incident to a critical third party (such as a cloud services vendor), even if that incident did not directly affect the bank.
"DTCC recommended the additional refinements, including ensuring appropriate materiality is included in the definition of substantial cyber incident so that covered entities can definitively understand the scope of their reporting obligations," the comment letter read.
