On November 14, 2022 the Institute of International Finance responded to a request for information by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on the Cyber Incident Reporting for Critical Infrastructure Act of 2022. Cybersecurity threats and incidents pose an ongoing risk to the public and private sectors and market participants and as noted in the RFI, are “one of the most serious economic and national security threats facing our nation.” The IIF and its members recognize the severity of the threat, and the significant role of financial institutions in providing timely, accurate, and decision-useful information on cybersecurity incidents in their capacity as vital components of the nation’s critical infrastructure. We also value information sharing, both with authorities and across the financial sector, and recognize the important role that CISA and other authorities play in sharing information about indicators of compromise, tactics, techniques, procedures, and best practices to reduce the risk of a cyber incident propagating within and across sectors.
The IIF is strongly supportive of CIRCIA’s reporting requirements within 72 hours of a “covered cyber incident” and that ransomware payments should be reported within 24 hours, so that CISA can render assistance and disseminate actionable, anonymized cyber threat information to the appropriate stakeholders. We also want to underscore the importance of the provision that the 72-hour deadline for reporting should be initiated only once the covered entity makes the determination that a covered cyber incident has occurred. Information-sharing is critical, especially at the beginning of an attack, and we appreciate CISA supporting the overall cyber resilience of the financial sector. We propose several recommendations that we hope will clarify the requirements and ultimately increase the cybersecurity of national critical infrastructure in the U.S., and across jurisdictions.
The IIF believes that financial firms are uniquely positioned to play a vital role in supporting and protecting the overall cyber resilience of the financial system. Cyber incident reporting can be a beneficial tool that helps protect the overall financial system by making the U.S. government aware of specific incidents and alerting them to issues that could impact other parts of the financial system or other critical infrastructure sectors. Depending on how the U.S. government responds to the information, it can also help firms recover faster and prevent other organizations from being impacted by that same (or similar) cyber incident. In practice, however, and as has been detailed in an IIF Staff Paper , cyber incident reporting is less effective than it can be due to ambiguity around how firms and regulatory authorities define what constitutes a cyber incident, as well as differing approaches and reporting requirements.
Given that cyber incidents often take place simultaneously across multiple jurisdictions, we support efforts by CISA and other U.S. agencies to propose rules and guidance that are consistent with those being drafted by global standard-setting bodies, especially the Financial Stability Board (FSB), which has indicated that greater harmonization of regulatory reporting of cyber incidents would promote financial stability across jurisdictions. We support efforts by global standard-setting bodies such as the FSB to help achieve greater convergence across jurisdictions, and are responding to the FSB’s own consultative document on achieving greater convergence in cyber incident reporting, which includes recommendations for how authorities can streamline their processes, establish terminologies, and develop a common format for incident reporting.