The five fixes to proposed cyber regulations bankers want to see

Cybersecurity-engineer.png
An analysis of 13 comment letters from the financial industry highlights the most important changes banks want to see to rules proposed by CISA.

Bankers, payments industry groups and many other financial services industry leaders are largely aligned on the changes they believe must be made to proposed regulations that would affect how firms across industries report cybersecurity incidents.

The proposed rules come from the Cybersecurity and Infrastructure Security Agency, or CISA, which is implementing the Cyber Incident Reporting for Critical Infrastructure Act of 2022, or CIRCIA. That act governs banks, dam operators, electrical grid operators and other firms that operate the nation's critical infrastructure

The act requires these firms to report substantial cybersecurity incidents within 72 hours of identifying the severity of the incident, and it gives them 24 hours to report ransomware payments. The act left ambiguous the implementation details, leaving it to CISA to propose rules and regulations. In April, the agency did so.

CISA originally set a June 3 deadline for the public to officially comment on the proposed regulations. Following a request from a broad coalition of industry groups, made the same day the regulations were officially posted to the Federal Register, the agency extended the deadline 30 days. In that time, another 298 comments poured in.

As previously reported, four banking trade groups submitted an expansive, joint letter this month requesting specific changes to the proposed regulations, primarily focused on honing the definition of "substantial cybersecurity incident."

In addition to the joint statement of the four banking groups, American Banker analyzed 11 comment letters, which came from the following entities:

Additionally, American Banker also analyzed a letter whose signatories include financial services trade groups alongside trade groups representing the communications and electricity sectors. The two-page letter encouraged CISA to "limit the scope and raise the threshold for incident reporting" by amending the definition of a "substantial cyber incident," a request made by most other commenters.

Here are the most common points raised by commenters in the financial services industry:

A higher threshold for reporting

The most common complaint was that the proposed definition of "substantial cyber incident" is overly broad and would lead banks, credit unions and payments companies to report low-risk events to CISA that would not justify the reporting costs.

In its letter, the Independent Community Bankers of America said the criteria for what constitutes a substantial cyber incident is "vague and potentially overly broad."

"This criterion could encompass a wide range of issues that may not typically be critical and could lead to incidents being reported that do not meet the intended threshold," the trade group said.

The Payments Leadership Council articulated a slight variation, requesting that CISA prioritize high-risk events rather than focus solely on all cyber incidents at high-risk entities.

"The proposed rule requires high-risk entities to report all cyber incidents which could lead to inefficiencies," the Payments Leadership Council said. "Since all industries are susceptible to cyber attacks, if CISA focuses its resources on small incidents of these prominent firms it could be ignoring the larger incidents in industries deemed of lesser risk."

Harmonization with existing regulations

The second most common comment requested CISA introduce harmonized reporting standards with consistent definitions and thresholds to reduce both regulatory compliance risks and cybersecurity risks.

Some commenters, including The Clearing House, also requested CISA coordinate with other federal agencies to develop information-sharing arrangements that would permit entities to report information to one central location and rely on the federal government to share between federal agencies as appropriate.

"Harmonized standards would facilitate quicker reporting of material incidents to relevant federal agencies, which would ultimately strengthen national and economic security," The Clearing House said.

The National Association of State Credit Union Supervisors made a similar request about state and territorial supervisory agencies. The association's comment about harmonization was one of only two high-level points of feedback it offered. Specifically, the association requested CISA work to minimize "the burden of duplicative reporting" to agencies beyond the federal level.

"We would like to stress the necessity of including the state and territorial supervisory agencies in any harmonization efforts undertaken," the association's letter reads. "Currently, there are both federal and state cyber-related reporting requirements at play within the financial services sector."

Applicability to noncritical operations

Many commenters requested that reporting requirements implemented by CISA focus solely on incidents that impact the critical operations of covered entities such as banks, rather than all the entities' operations. This, commenters argued, would ensure a focus on protecting national security and critical infrastructure.

These comments tended to overlap with requests to reduce the overall threshold a cyber incident must meet before it must be reported. The Institute of International Finance, for instance, requested the definition of substantial cyber incident be narrowed to only cover those having "substantial impacts on critical services or processes."

However, the institute also specified that the entities covered by the reporting regulations "should be limited to those that perform a critical function." More specifically, the proposed rule suggests that the definition of a covered entity would apply at the group or holding company level, which the institute criticized.

"​​We believe that CISA should consider separately each entity in a corporate group and avoid an interpretation that would result in defining as a covered entity the parent organization or holding company as a result of one or more of its subsidiaries or affiliates being deemed a covered entity," the institute wrote.

Data security and discoverability

Several comments stress the importance of stringent measures to protect the confidentiality and integrity of the reported information, both from unauthorized access but also against requests made through the Freedom of Information Act, or FOIA.

The comments highlighted the need for reassurance around data protection to maintain trust and collaboration between industry and government. The Financial Services Sector Coordinating Council mentioned this.

"In particular, CISA should designate all agency systems containing CIRCIA reports as High Value Assets in accordance with Office of Management and Budget guidance," the council wrote. "Such a designation offers a more consistent way to protect this information commensurate with the risk environment."

The Farm Credit Council said that, while the proposed rule exempts incident reports from disclosure under FOIA, the reports do not get the same level of protection that, for example, Suspicious Activity Reports, or SARs, get.

"If a system institution or other regulated entity were required to submit a cyber incident report to CISA, then the report and the information provided by the reporting entity should receive at least the same level of the protections afforded under other laws and authorities and not less, especially when the report is made to an entity other than its prudential regulator," the council said.

Protecting incident reports at the same level as SARs "would encourage prompt and comprehensive reporting," the council said, and avoid exposing the reporting entity to "significant risk of harm."

A narrower definition of "substantial cybersecurity incident"

Many commenters complained that CISA's proposed guidelines and definitions of what constitutes a "substantial cybersecurity incident" were overly broad, creating not just a potential problem of too much reporting but also a lack of clarity regarding what incidents exactly banks need to report.

Some commenters provided specific suggestions on how to hone the definition of "substantial cyber incident" to minimize ambiguity, but none to a greater extent than the Depository Trust & Clearing Corporation, or DTCC, which dedicated seven pages to suggestions on how to modify the proposed five-prong definition from CISA.

One example of a problem the corporation highlighted is that the proposed regulation creates an expectation that a cyber incident that causes any level of disruption to business operations would be reportable, including the reporting of those that lead to minor disruptions, DTCC said.

This threshold is so low, according to DTCC, that a bank would even have to report a cyber incident to a critical third party (such as a cloud services vendor), even if that incident did not directly affect the bank.

"DTCC recommended the additional refinements, including ensuring appropriate materiality is included in the definition of substantial cyber incident so that covered entities can definitively understand the scope of their reporting obligations," the comment letter read.

For reprint and licensing requests for this article, click here.
Cyber security Technology
MORE FROM AMERICAN BANKER