Which cyber incidents should banks report to the government?

Adobe Stock

Banks and other firms that operate critical infrastructure in the U.S. have until mid-November to provide their first official comments on a law that will require them to report substantial cybersecurity incidents to the federal government within 72 hours.

The Cybersecurity and Infrastructure Security Agency opened a request for comment Monday regarding the regulations it will enact under the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which requires banks and others to report substantial cybersecurity incidents within 72 hours.

Among the topics on which CISA is seeking comment are which entities are covered under the legislation, what kind of incidents they must report, what information they must report when an incident occurs, when the 72-hour countdown should start, and whether there are any federal and state regulations that are redundant with the new law.

The cyber incident act passed the Senate on March 1 on a bipartisan basis. It also received the support of the Bank Policy Institute, a lobbying group for the U.S. financial sector. The House of Representatives passed the act the next week as part of an omnibus bill, and President Biden signed it into law on March 15.

Jen Easterly, the director of CISA, said the act is a "game changer for the whole cybersecurity community and everyone invested in protecting our nation's critical infrastructure."

While banks are already beholden to a number of state and federal regulations requiring them to report cybersecurity incidents when they happen, the new law will constitute perhaps the most comprehensive cybersecurity reporting requirement for the U.S. to date.

The law will not just require banks to report substantial cybersecurity incidents; any bank that makes a ransomware payment will also have to report those payments to CISA within 24 hours.

Once the law takes effect, every financial institution and every firm in 15 other economic sectors must report each covered incident and ransomware payment to CISA, which will then share the reports with other agencies and aggregate them into quarterly reports.

The law "will allow us to better understand the threats we are facing, to spot adversary campaigns earlier, and to take more coordinated action with our public and private-sector partners in response," Easterly said. "We can't defend what we don't know about and the information we receive will help us fill critical information gaps that will inform the guidance we share with the entire community, ultimately better defending the nation against cyber threats."

CISA has until March 2024 to propose regulations that will implement the cyber incident reporting law. Once it proposes regulations, it will have 18 months to finalize and enact them.

For reprint and licensing requests for this article, click here.
Cyber security
MORE FROM AMERICAN BANKER