Bipartisan bill would require firms to report cyberhacks within 72 hours

The House of Representatives is expected to consider legislation this week that would require financial institutions and other critical infrastructure operators to report substantial cyber incidents and ransom payments to the federal government.

The package of three bills, together titled the Strengthening American Cybersecurity Act, passed the Senate last week by unanimous consent and has been included in omnibus spending legislation that House leaders were trying to bring up for a vote as early as Wednesday. It also has the backing of the lobbying group Bank Policy Institute.

Reporting requirements would remain unchanged for up to three and a half years if the legislation becomes law. During that time, the Cybersecurity and Infrastructure Security Agency, or CISA, would create and execute a rules-making process that fills in specifics of the law.

Among the specifics yet unaddressed are which financial institutions would have to report cyber incidents and ransom payments, what exactly they would have to disclose in such reports, and the precise types of cyber incidents that would require reporting.

Already spelled out in the bill is the 72-hour window banks and others would have to report a cyber incident, starting when the company determines such an incident has occurred, and the 24-hour window they would have to report a ransom payment. The reporting requirements would apply to financial institutions and 15 other sectors, all considered critical infrastructure.

If a company fails to meet the reporting requirements within that time, the law would allow the director of the cybersecurity agency to issue a subpoena to compel the company to report.

But according to one bank lobbying group, banks will want to report incidents regardless of the punishment for not doing so.

“From the banks’ perspective, there is a lot of value in providing the government the information that the act requires banks to report,” said Heather Hogsett, a senior leader of the Bank Policy Institute’s technology policy division.

That value will come in part from public reports the cybersecurity would publish quarterly, in which it would aggregate and anonymize cyber incident reports submitted by infrastructure owners and operators. The agency already publishes some information of that kind on its website.

The 72-hour and 24-hour reporting requirements would be on top of a 36-hour reporting requirement that three bank regulators will start enforcing May 1. That rule will require banks and their third-party vendors to notify their financial regulator about service disruptions and serve a different purpose than the proposed legislation.

According to Hogsett, the 36-hour notices of a service disruption “allow bank regulators to keep a pulse on what is happening in the country’s financial services industry” while the 72- and 24-hour notices to CISA will allow the agency to “produce reports about threat actors and provide early warning of potential attack vectors.”

“The crucial thing this act does is harmonize new cyber incident reporting with requirements that banks must already meet,” she said.

Potential for undue compliance burdens

Nathan Taylor, a partner at the consulting firm Morrison & Foerster, describes himself as a lone skeptic of the legislation, which he said appears to be on the fast track to passage. The legislation passed the Senate by unanimous consent last week.

“It’s unclear to me how it’s going to work in practice, and it’s unclear to me what the scope is, and when those two things are unclear to me, it makes it very hard for me to weigh the costs and benefits,” Taylor said.

Taylor expressed skepticism with the plan of tasking a government agency — in this case, CISA, an agency in its fourth year of existence — with defining the scope and extent to which it will regulate companies in sectors from banking to dams to food and agriculture.

“Have you ever seen a regulator that has an interest in narrowing rules and thereby limiting its scope and its jurisdiction?” Taylor asked. “Why would they take a narrow approach?”

He added that he questioned a number of the assumptions he said underlie support for the bill. One, he said, is a political assumption that “if this doesn’t pass, we’ll get something worse.”

Another assumption he questioned is that centralizing information about cybersecurity incidents with CISA will turn the agency into a hub that provides actionable intel about such threats, allowing companies to bolster their security where it is most needed.

“Is this going to make the U.S. economy stronger and more resilient? I don’t know,” Taylor said. “Or is it just going to create compliance burdens, and then data trickles out in quarterly reports?”

Bipartisan support for legislation appears strong

Sen. Gary Peters, D-Michigan, a co-author of the legislation, said the legislation will provide CISA “with the information and tools needed to warn of potential cybersecurity threats to critical infrastructure, prepare for widespread impacts, coordinate the government’s efforts, and help victims respond to and recover from online breaches.”

Rob Portman, R-Ohio, the other author of the bill, said it “strikes a balance between getting information quickly and letting victims respond to an attack without imposing burdensome requirements.”

The two released a joint press release after the Senate passed the legislation, saying they had been working with House Democrats and Republicans, including members of the bipartisan Cybersecurity Caucus.

For its part, the Bank Policy Institute “strongly supports passage and prompt enactment of this legislation and believes it will further strengthen U.S. cybersecurity,” Hogsett said, adding that a crucial component of the act is that it will “harmonize” new cyber incident reporting with requirements that banks already face.