Adrian Johnson
TLDR:
- Industry representatives warn that a proposed federal cybersecurity reporting rule could lead to burdensome requirements and over-reporting of hacks.
- The rule’s definition of “substantial cyber incident” is considered too narrow by private-sector panelists.
Industry experts raised concerns about a proposed federal cybersecurity reporting rule during a hearing at the House Homeland Subcommittee on Cybersecurity and Infrastructure Protection. The rule, as outlined by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, has been criticized for its narrow definition of “substantial cyber incident,” which could potentially result in over-reporting of cyber incidents. Panelists emphasized the importance of distinguishing between accidental events like software upgrades gone wrong and malicious cyber incidents. Heather Hogsett, a senior vice president at the Bank Policy Institute, highlighted the need for clarity in the reporting requirements to prevent unnecessary reporting burdens on organizations.
The industry is cautious about the technical enforcement language in the proposed rule, as it could lead to confusion and unnecessary reporting. Panelists also highlighted the challenges posed by multiple agencies producing competing rules in the cybersecurity reporting space. The concern is that without proper alignment of reporting requirements, organizations may face excessive reporting obligations and compliance challenges.
Overall, the industry is advocating for a more comprehensive and clear definition of what constitutes a reportable cybersecurity incident to prevent over-reporting and streamline the reporting process for organizations. The goal is to strike a balance between ensuring cybersecurity incident reporting is accurate and effective, while avoiding unnecessary reporting burdens that could overwhelm organizations and hinder cybersecurity efforts.
