Lawmakers reached an agreement on bipartisan cyber incident reporting legislation that includes ICBA-advocated updates to avoid excessive burdens on community banks.
Background: Based on the Cyber Incident Reporting Act (S. 2875), the amendment to the fiscal 2022 National Defense Authorization Act would:
-
Establish a cyber incident response office at the Cybersecurity and Infrastructure Security Agency.
-
Require critical infrastructure, including financial institutions, to report cyber incidents within 72 hours.
ICBA-Backed Changes: As ICBA advocated in a letter to lawmakers last month, the legislation:
-
Directs CISA to rapidly share information on cyber threats.
-
Requires reporting of “substantial” cyber incidents, not potential or minor incidents.
-
Requires CISA to harmonize regulations to avoid duplicative reporting requirements.
-
Directs CISA to account for the size and complexity of cyber incidents in imposing penalties.
-
Includes liability protections.
-
Requires CISA to include trade associations in its rulemaking outreach.
What’s Next: The amendment will be considered by the House and Senate conference committee, which is meeting to resolve differences between each chamber’s versions of the NDAA. Once a final compromise is agreed to, the legislation will be voted on for final passage.