Adrian Johnson
TLDR:
Banking industry leaders are requesting changes to proposed cyber regulations by CISA that would impact reporting cybersecurity incidents. The most common requests include a higher threshold for reporting, harmonization with existing regulations, focusing on critical operations, protecting data security, and narrowing the definition of a “substantial cybersecurity incident.” Industry groups want to ensure reporting requirements are clearer, protect sensitive information, and prioritize high-risk events to strengthen national security and economic security.
Article Summary:
The banking industry is calling for changes to proposed cyber regulations by the Cybersecurity and Infrastructure Security Agency (CISA) that would impact how firms report cybersecurity incidents. The proposed rules come from the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which requires firms to report substantial cybersecurity incidents within specific timeframes. Industry groups are requesting specific changes, including:
- A higher threshold for reporting to avoid reporting low-risk events that do not justify the reporting costs.
- Harmonization with existing regulations to reduce regulatory compliance risks and cybersecurity risks.
- Focusing reporting requirements on incidents that impact critical operations of covered entities.
- Protecting data security and ensuring confidentiality and integrity of reported information.
- Narrowing the definition of a “substantial cybersecurity incident” to minimize ambiguity and clarify reporting obligations.
Industry groups want to ensure that reporting requirements are clearer, protect sensitive information, prioritize high-risk events, and strengthen national security and economic security. By making these changes to the proposed regulations, banks, credit unions, and payments companies aim to improve cybersecurity incident reporting procedures and enhance collaboration between industry and government agencies.
