Banking groups: Cybersecurity reporting legislation conflicts with existing requirements

In an Aug. 16 joint letter to the Senate Intelligence Committee, the American Bankers Association, Consumer Bankers Association and Bank Policy Institute said that several provisions in the Cyber Incident Notification Act of 2021 conflict with existing cybersecurity requirements. The groups urged Congress “that any new requirements for reporting, oversight and enforcement be harmonized with existing regulatory requirements.” 

“We deeply appreciate your longstanding work on this issue and your efforts on this legislation and stand ready to work with you on all the issues described above; as drafted, however, we do not support the legislation as we believe that it would hinder rather than enhance cybersecurity for the financial services sector,” the groups added. “We welcome further discussion on how to better protect our nation’s critical infrastructure while ensuring front-line cyber defenders can continue to focus on security threats.”

The groups are calling for Congress to extend the timeline for reporting a cybersecurity incident to 72 hours from the 24 hours the bill proposes. They said the longer deadline would allow financial institutions to provide more accurate reports, given that they often only have limited information on an event within the first 24-36 hours. They also want the scope of reporting to “be reduced to events that cause actual harm” to prevent “near-constant reporting,” and that a mechanism be introduced to ensure that critical infrastructure entities are notified when an incident impacts a federal system holding the entity’s sensitive information. 

“Should a federal agency experience a cyber incident affecting the operations and security of systems holding sensitive private sector data, notifying the private entity would allow institutions to take proactive measures to mitigate potential attacks,” the groups said.