In a letter to the US Congress, the American Bankers Association, Banking Policy Institute and Consumer Bankers Association raised concerns with several provisions within the Cyber Incident Notification Act of 2021, which the groups say would, in practice, conflict with cybersecurity requirements already in place for financial institutions.
The groups said that any new requirements for reporting, oversight and enforcement should be harmonized with existing regulatory requirements for financial institutions – both to avoid confusion and also because those requirements have proven their worth over the years.
Other comments were that the timeline for reporting should be 72 hours after confirmation an incident has occurred. As drafted, the legislation requires the filing of a report within 24 hours of a cybersecurity incident. The initial stages of an incident response require “all hands on deck” to focus immediately on understanding the incident and implementing mitigation and response measures.
The argument is that within the first 24-36 hours, firms will have limited information on an event and thus call for a simple notification that a cyber incident of a sufficient materiality has occurred, with more detailed reporting to follow.
In addition, the groups highlighted that final legislation should:
- narrow the scope of reporting to incidents causing actual harm;
- ensure alignment with existing regulations and avoid duplication with Sector Risk Management Agencies (SRMA);
- ensure the rulemaking process allows for meaningful dialogue with critical infrastructure;
- harmonize financial penalties for non-compliance with the existing regulatory framework; and
- develop mechanisms to notify a critical infrastructure entity when an incident affects a federal system holding the entity’s sensitive data