Banking Groups Object to Breach Notification Bill ProvisionsBanks Argue That 24-Hour Reporting Requirement Would Result in 'Erroneous' Reports
Three banking trade groups are objecting to provisions of a bill now pending in Congress that would require security incident reporting within 24 hours of discovery.
The American Bankers Association, Bank Policy Institute and Consumer Bankers Association sent a letter to the U.S. Senate Intelligence Committee recommending that the Cyber Incident Notification Act of 2021 be amended to include a 72-hour notification requirement, rather than 24 hours.
"The initial stages of an incident response require 'all hands on deck' to focus immediately on understanding the incident and implementing mitigation and response measures," the banking groups write. Filing notification reports within 24 hours of incident discovery would result in "premature" and "erroneous" reports, they contend.
The groups say that financial institutions "will have limited information on an event" within 24 hours. They add that the details of cyber intrusions involving nation-states or advanced persistent threat groups cannot be adequately gathered within 24 hours, given the need for assistance from federal agencies.
Components of the Bill
The bill, formally introduced last month, would require federal agencies, federal contractors and organizations that are considered critical to U.S. national security to report security incidents to the Cybersecurity and Infrastructure Security Agency within 24 hours of discovery (see: Senators Introduce Federal Breach Notification Bill).
It defines several types of intrusions that would trigger the notification to CISA, including those that involve nation-states, an advanced persistent threat actor or a transnational organized crime group; those that could harm U.S. national security; or those that involve ransomware with national security implications.
Noncompliant companies could face financial penalties up to 0.5% of the previous year's gross revenue. Other national breach notification bills have failed to advance in Congress in recent years.
Banks Concerned About 'Constant Reporting'
The banking groups say reporting of potential incidents within 24 hours would create "near-constant reporting to CISA by financial services firms," due to the number of daily incidents. They also say the process would "add noise to the signal of material incidents," thus overwhelming CISA's analytical efforts. And the groups call for focusing only on reporting of incidents that "cause actual harm."
The banking groups argue that the financial industry is "already subject to significant cyber reporting requirements."
As a result, the groups say, "we recommend that the legislation include a mandate for CISA to work with all the other regulatory agencies to develop a common reporting form and streamlined process. Otherwise, still more time will be spent by first responders working with firms' legal and compliance teams to ensure that each agency's requirement is met rather than focusing those efforts on protecting critical infrastructure."
Penalties for Noncompliance
In its letter, the trade groups indicate that penalties are not "harmonized" with the existing regulatory framework.
"Our concern is that financial services firms could be subject to multiple enforcement actions and multiple penalties for the same reporting violation," they say. The groups recommend CISA coordinate with other agencies on all enforcement actions.
"We believe that [the legislation, as drafted] would hinder rather than enhance cybersecurity for the financial services sector," the letter states.
Security Experts Push Back
Frank Downs, a former offensive analyst for the National Security Agency, says the letter from the banking community "provides some broad-stroke reactions to specific issues, which ultimately show the true intent of these organizations - saving money on incident response and decreasing their liability risk profile."
Downs, director of proactive services for the security firm BlueVoyant, adds: "The reality is that 72 hours is too long if it is the only requirement for an indicator, as an attack may have spread beyond the one organization at that point."
Security incidents must be reported quickly because "time is of the essence in responding … and CISA should be aware of that in a timely manner," says Padraic O'Reilly, a former adviser to the Department of Defense and co-founder and chief product officer for the firm CyberSaint Security.
Downs also questions the banking groups' request to narrow reporting requirements to incidents resulting in "actual harm," noting that it's difficult to measure harm. "It's hard not to view this as a request to provide the financial firms more leeway and less liability," he says.
O'Reilly offers a similar observation: "This seems to be a concern from the trade organizations that reputational issues should preclude transparency. In the current environment, the public good needs to trump that institutional imperative."