The growing number and scope of breach notification rules for regulators, state authorities, and soon the federal government may hamper their effectiveness, industry groups warn.
Lawmakers are considering mandatory requirements for companies in industries such as finance, energy, and power to report cyber attacks against their systems. Lawmakers have introduced bills in the House and Senate since a series of cyberattacks on key SolarWinds technology products Corp.
and Microsoft Corp.
Attacks on critical infrastructure providers like Colonial Pipeline Co. have also prompted the Transportation Security Administration to issue updated cybersecurity guidelines, including a requirement to report attacks.
Any larger federal rule must consolidate existing requirements, said Heather Hogsett, senior vice president of the technology arm of the Bank Policy Institute, a lobby group for large banks. Industry groups are pushing for federal bills to provide a single set of rules to follow, rather than a complicated series of notifications to individual regulators and federal agencies for each incident.
“This is really a critical point for us,” Hogsett said, speaking at a House Homeland Security Committee cybersecurity subcommittee hearing on Wednesday.
SHARE YOUR THOUGHTS
How should the SEC approach rule making regarding cyber risk governance in the financial sector? Join the conversation below.
For example, said Ms Hogsett, a financial company may be subject to the notification rules of the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corp., the New York State Department of Financial Services, and the Department of Treasury, as well as under the European Union General Data Protection Regulation, among others.
Separately, the United States Securities and Exchange Commission is preparing a proposal on cybersecurity risk governance, which could include an element of notification, Chairman Gary Gensler said in a speech to the Economic Affairs Committee on Wednesday. monetary policy of the European Parliament.
“It is a heated debate, the reporting of incidents,” he said.
Some bills position federal agencies such as the Cybersecurity and Infrastructure Security Agency as clearinghouses for breach notifications. The House Cyber Incident Reporting for Critical Infrastructure Act of 2021, for example, would require the CISA to establish a central office to receive and manage these reports.
Having the CISA coordinate the reporting of breaches would help ensure that information is properly shared between regulators, law enforcement agencies and businesses, said John Miller, senior vice president of policy and counsel. general of the Information Technology Industry Council, a trade association for technology companies, at the same time. congressional hearing.
“We also need the CISA to talk to the FBI and financial regulators and anyone else who really has information or receives these reports,” he said.
In the Senate, a bill requiring government agencies, federal contractors and critical infrastructure operators was criticized for requiring notification within 24 hours of detecting an incident. The House bill gives businesses at least 72 hours.
Industry groups are also urging lawmakers to be clear about what incidents companies must report. Distinguishing between attempted firewalls and successful attacks is important, Hogsett said, to reduce the amount of paperwork filed.
“If you left the definition and scope too broad, you would literally have, from a single company, potentially hundreds, if not thousands of reports, which is just a huge amount. And these aren’t really the things that are going to cause the level of concern that you are trying to focus on, ”she told the subcommittee.
However, Representative Jim Langevin (D., RI) told the hearing that too much narrowing of the range could also cause problems for agencies in terms of recognizing patterns between attacks.
“I’m a little concerned about the gap I see between the amount of information CISA needs to improve the cybersecurity of our critical infrastructure areas, and the amount of information CISA would receive if it were not. informed only of confirmed cyber incidents ”he said.
Write to James Rundle at [email protected]
Copyright © 2021 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8