A group of financial organizations urged the Cybersecurity and Infrastructure Security Agency (CISA) to rescind a proposed rule that would require critical infrastructure entities to report cyber incidents within 72 hours.CISA’s notice of proposed rulemaking (NPRM) was published in April 2024 and seeks to fulfill requirements set by the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022.The proposed rule would require organizations in critical infrastructure sectors, including financial services, healthcare, energy and more, to report “substantial cyber incidents” to CISA within 72 hours and ransom payments within 24 hours.The NPRM outlines which cyber incidents are considered “substantial” and the types of information covered entities need to include in their reports. The proposed rule would also require supplemental reports as new information about an incident becomes available.The open letter from the American Bankers Association, Bank Policy Institute, Institute of International Bankers and Securities Industry and Financial Markets Association, addressed to U.S. Department of Homeland Security Secretary Kristi Noem and U.S. Office of Management & Budget Director Russell T. Vought, argues the proposed rule in its current state would place an undue burden on cybersecurity teams and goes against the original intent of Congress members of approved CIRCIA.“This includes expansive thresholds for reporting that would capture de minimis outages to non-critical services and extensive data elements that, as currently drafted, will consume the finite time of critical personnel,” the letter published last week stated.While the proposed rule would exempt entities from reporting information to CISA that is “substantially similar” to information that was already reported to another federal agency, such as the Securities and Exchange Commission (SEC), the letter authors say the “expansive data elements” entities would be required to report essentially nullifies this exemption.The letter additionally cites statements from Republican and Democratic members of Congress expressing concern that the NPRM goes beyond what was intended by CIRCIA.“It is very important that the regulation is well-crafted and reflects both Congressional intent and the public’s recommendations. As currently, written, I have concerns that the effect of this proposed rule fails to hit the mark,” Sen. Gary Peters, D-Mich., stated in a letter to then-CISA Director Jen Easterly in July 2024.Last week’s letter is not the first time the same group of banking institutions has called for the NPRM to be rescinded and revised. In June 2024, the group published a letter recommending specific changes to the rule, including narrowing the type of incidents that require reporting to only those that affect critical services.The previous letter also requested that the rule only require reporting of information that is “reasonably available” within 72 hours, stating that the current NPRM requires details about information compromise, affected network locations, vulnerabilities exploited and effectiveness of response efforts that would require forensic analyses and incident reviews that “can take weeks or even months to complete and may include highly sensitive information about a covered entity’s network.”Other concerns outlined in the June letter included the potential that cyber incidents affecting non-U.S. operations could fall under the reporting requirements, that the requirement to store forensic data for two years could be exceedingly costly and that requirements for supplemental reporting were unclear and could result in “burdensome overreporting.” Financial institutions are not the only entities covered by the proposed rule that have expressed concerns about the reporting requirements. In July 2024, the American Hospital Association published a letter to Easterly that argued the rule required a “shockingly large amount of data” and requested the reporting requirements be simplified and data storage mandates be reduced to avoid overburdening victimized health systems.If the proposed rule is not rescinded, CISA has until October 2025 to issue a final rule under CIRCIA. However, a regulatory freeze memorandum issued by President Donald Trump upon his inauguration on Jan. 20, 2025, means the proposed rule will need to undergo a review by a department or agency head appointed or designated by Trump before it is finalized.“There is significant uncertainty regarding the role that CISA will play in the Trump administration, and it appears unlikely that these rules will move forward as proposed,” law firm Gibson Dunn stated in an analysis of the impact of the freeze memorandum.However, CISA is still required by CIRCIA to implement a reporting rule within a designated timeframe, and revised regulations may be put forth under the Trump administration to meet that requirement within the next few months.
Financial groups urge CISA to revise proposed incident reporting rule
