A new cybersecurity bill could hinder online security at banks and other financial institutions, trade bodies have warned.
In a letter to the Senate Intelligence Committee, the American Bankers Association (ABA), the Bank Polity Institute and the Consumer Bankers Association warned that the Cyber Notification Act of 2021 clashed with existing legislation and would be problematic for banks to implement safely.
The groups said they did not support the act in its current form as they believed it would hinder, rather than enhance, cybersecurity.
The trade bodies urged the committee to ensure that any new requirements for reporting, oversight and enforcement of cybersecurity issues be harmonized with existing regulatory requirements to avoid confusion and the potential undermining of previous rulesets.
Misalignments highlighted in the letter included financial penalties for non-compliance, and the extension of reporting to other regulators. The trade bodies recommended that the legislation include a mandate for the Cybersecurity and Infrastructure Security Agency (CISA) to work with all regulatory agencies to develop a common reporting form and streamlined process.
“Otherwise, still more time will be spent by first responders working with firms’ legal and compliance terms to ensure that each agency’s requirement is met rather than focusing those efforts on protecting critical infrastructure,” the letter stated.
The organizations also requested that the timeline for reporting a cybersecurity incident should be extended to 72 hours. The current 24-hour maximum written in the bill would not give enough time for institutions to provide more accurate reports, they argued, since firms often have limited information on an event in the first 24-36 hours.
Another request was that the scope of reporting be reduced to events that cause actual harm to avoid overwhelming CISA’s analytical efforts. The groups claimed that the agency would be inundated with near-constant reports considering the number of incidents firms see already on a daily basis.
The groups also raised an issue regarding the safety of data, requesting that a mechanism be put in place to notify a critical infrastructure entity when an incident attacks a federal system holding that entity’s sensitive data.