On Friday, four banking trade groups published
The trade groups that signed the letter include the Bank Policy Institute, which had
Now, the banking trade groups say the proposed rule, if implemented as written, would "cause a flood of reports on low-risk incidents that will provide limited value to the government but will be a great cost" to the banks reporting them. The bulk of the 26-page letter is dedicated to suggested edits to the rule the groups said would help the government meet the legislative goals of the 2022 law.
Joining the Bank Policy Institute as signatories on the letter were the American Bankers Association, whose members are small, regional, and large banks that together hold $19 trillion in deposits and extend $12.4 trillion in loans; the Institute of International Bankers, which represents internationally headquartered financial institutions; and the Securities Industry and Financial Markets Association, which is a major trade association for investment banks, broker-dealers, and similar institutions.
The groups addressed the letter to Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency (CISA). The 2022 cybersecurity reporting law tasked the agency with implementing rules that will require companies and agencies across
Although the law will eventually require banks and credit unions to report "substantial cyber incidents" to the Department of the Treasury, the law does not define the term. Rather, it leaves it up to CISA to define what is and is not substantial, so the agency
In its proposed rule, CISA defines a "substantial cyber incident" as including four types of incidents. In the first type, there is a substantial loss of confidentiality, integrity, or availability of an information system. In the second, there is a serious impact on safety and resiliency of a system. In the third, there is disruption to the ability of the firm to engage in business. In the fourth, there is unauthorized access through a third-party or supply chain compromise.
Any of the four types of cybersecurity incidents would most likely occur because of a cyberattack, but the definitions are written broadly enough that serious accidents would also be covered.
A report on efforts to deconflict federal cybersecurity regulations found the Treasury in particular has not completed its recommendations.
According to the four banking groups, that proposal "extends beyond the authorities granted to it under the statute and departs substantially from what Congress intended when it enacted" the 2022 cybersecurity incident reporting law.
Quoting press releases from the committees in the
"The proposed rule falls short of these critical considerations," the trade groups wrote.
CISA did not immediately respond to a request for comment.
One of the many suggested changes the banking groups proposed in their 26-page letter to CISA is narrowing each of the four aforementioned types of incidents to concern only incidents that affect products and services offered by the firm.
Specifically, the third type of incident — those that disrupt the firm's ability to engage in business — includes "de minimis operational outages to non-critical services," according to the letter from the groups. The groups proposed to change that definition to specify that only "substantial" disruptions to "a critical portion" of business operations "required for provision of products or services" would count.
Compliance with the 2022 cybersecurity incident report law requires CISA to release a final rule around October 2025, and that rule would then be implemented in 2026,
