Director Jen Easterly
Cybersecurity and Infrastructure Security Agency
Department of Homeland Security
Re: Docket ID CISA-2022-0010, Request for Information on the Cyber Incident Reporting for Critical Infrastructure Act of 2022
Dear Director Easterly:
The Bank Policy Institute (“BPI”), American Bankers Association (“ABA”), Institute of International Bankers (“IIB”), and Securities Industry and Financial Markets Association (“SIFMA”) (together, “the Associations”)1 appreciate the invitation to contribute comments to the Cybersecurity and Infrastructure Security Agency’s (“CISA”) request for information (“RFI”) on the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”) requirement to develop regulations related to critical infrastructure cyber incident reporting.
The Associations applaud CISA’s early and frequent communications signaling an intent to work with critical infrastructure entities to craft an effective rule and welcome the efforts evident through this engagement and ongoing public listening sessions. We share a mutual commitment to cybersecurity and the value in sharing threat and incident information, and support efforts to fortify CISA as a leader in this space while minimizing the shared burden to actively defending critical infrastructure systems. The financial services sector is one of the few critical infrastructure sectors that has had mandatory cybersecurity and incident reporting requirements in law and regulation for over 20 years. In addition to a long history of complying with a variety of cybersecurity and incident reporting requirements, the financial services sector has been voluntarily sharing cyber threat information when appropriate and in accordance with relevant legal authorities, with the Federal Bureau of Investigation (“FBI”), the U.S. Secret Service, and Department of Homeland Security (“DHS”), to facilitate the federal government’s interdiction of malicious cyber activity. The Associations also share information when appropriate with a wide range of partners via the Financial Services Information Sharing and Analysis Center (“FS-ISAC”), which shares cyber threat information and best practices among nearly 7,000 members across the globe, including 4,600 U.S. financial institutions. The FS-ISAC was one of the first ISACs created in 1999 and is widely recognized as the gold-standard that other sectors have worked to replicate.
We agree with CISA’s assertion that the proliferation of cyber incidents is one of the most critical economic and national security threats facing our nation. Effective visibility, awareness, and coordinated information sharing between the public and private sectors is critical during a cyber incident, and reasonable incident reporting to government entities can help disrupt attackers and assist affected firms with protection, mitigation, and response. We understand that the ability to attribute cyber incidents to an entity or entities is key to supporting other important policy objectives including holding malicious actors accountable for their nefarious activities. However, there are multiple policy objectives at play across the incident reporting landscape, such as providing early warning with actionable information and voluntary supplemental information sharing as the incident unfolds. We urge CISA to recognize this as an opportunity to demonstrate needed leadership and ensure that where there are requirements for incident reporting, they are simple, tied to an actionable purpose and broadly useful.
Download to read the full text.