Search for:
Debevoise Data Blog
Announcement

Financial Services Industry Comments on CISA’s Proposed Reporting Obligations for Critical Infrastructure

By: , , , , , , and

Debevoise’s Data Strategy and Security group recently assisted four leading trade associations that represent the financial services industry in preparing a joint comment letter in response to the Cybersecurity and Infrastructure Security Agency’s (“CISA”) notice of proposed rulemaking for reporting requirements for critical infrastructure entities that experience covered cybersecurity incidents (the “Proposed Rule”), developed pursuant to the Cyber Incident Reporting for Critical Infrastructure Act (“CIRCIA”).

Debevoise worked with the American Bankers Association, Bank Policy Institute, Institute of International Bankers and the Securities Industry and Financial Markets Association to draft recommendations that, if incorporated by CISA into a Final Rule, would better align the reporting requirements to CIRCIA and improve incident response coordination and effectiveness. CISA is required to promulgate a Final Rule by the fall of 2025.

In particular, the comment letter recommends that CISA:

  • Limit the scope of reporting to what matters most. The current scope is too broad and risks overwhelming regulators with irrelevant data. Instead, limit reporting to substantial incidents that affect critical services. Moreover, CISA should clarify that the reporting requirements only apply to the U.S. operations of financial institutions and would not apply if an incident occurs entirely outside of the United States.
  • Focus data collection on what companies “need to know” to prevent contagion. The information collected should be based on actionable information that could be shared with other companies to protect the economy and prevent the exploitation of similar vulnerabilities.
  • Clarify and reduce the supplemental reporting requirements applicable to covered entities. Regular status updates are important, however, requiring constant reports is not useful and ties up critical response resources.
  • Reduce the amount of time firms are required to keep forensic data. CISA should shorten the time that financial institutions are required to save data so they aren’t forced to incur expenses for data that may no longer be necessary.

For more information about the Proposed Rule, see our recent Debevoise Data Blog post and webcast.

To subscribe to our Data Blog, please click here.

Author

Erez is a litigation partner and a member of the Debevoise Data Strategy & Security Group. His practice focuses on advising major businesses on a wide range of complex, high-impact cyber-incident response matters and on data-related regulatory requirements. Erez can be reached at eliebermann@debevoise.com

Author

Gabriel Kohan is a litigation associate at Debevoise and can be reached at gakohan@debevoise.com.

Author

HJ Brehmer is a Debevoise litigation associate and a member of the Data Strategy & Security Group. Her practice focuses on cybersecurity incident preparation and response, internal investigations, civil litigation, and regulatory defense. She can be reached at hjbrehmer@debevoise.com.

Author

Stephanie D. Thomas is an associate in the Litigation Department and a member of the firm’s Data Strategy & Security Group and the White Collar & Regulatory Defense Group. She can be reached at sdthomas@debevoise.com.

Author

Jarrett Lewis is an associate and a member of the Data Strategy and Security Group. He can be reached at jxlewis@debevoise.com.

Author

Melyssa Eigen is an associate in the Litigation Department. She can be reached at meigen@debevoise.com.

Author

Josh Goland is an associate in the Litigation Department.

Author

Annabella Waszkiewicz is a law clerk in the Litigation Department.

Related Posts