Banking Groups Push Back Against 24 Hour Breach Disclosure Bill
Recent plans to adjust federal rules around disclosing data breaches have drawn the ire of the banking community.
Last month's introduction of the Cyber Incident Notification Act of 2021 - legislation that would require some companies to report cyberattacks within 24 hours – has rankled another industry.
A handful of financial services trade groups, specifically the American Bankers Association, Bank Policy Institute and the Consumer Bankers Association, expressed their dissatisfaction for the bill this week, urging the U.S. Senate Intelligence Committee to amend its 24-hour data breach notification requirement to a 72-hour notification requirement.
First announced last month, the bill would require agencies and some companies to report hacks within 24 hours and even be fined up to 0.5% their previous year revenue for each day they break the rules.
The act would technically apply to federal agencies, federal contractors and organizations that are considered critical to U.S. national security. The bill would empower the Department of Homeland Security's Cybersecurity and Infrastructure Agency by requiring those entities report a confirmed cybersecurity intrusion to them within 24 hours, then again, with any new information within 72 hours.
In a letter to the U.S. Senate Intelligence Committee on Tuesday, the banking groups had a few nits to pick with the bill but are contending that filling out government paperwork would distract from their mitigation and response efforts immediately following a data breach.
“Extending the reporting timeline in the legislation to 72 hours after confirmation an incident has occurred would also be more consistent with the bill’s definition of a “cybersecurity intrusion” which includes incidents involving nation-states or advanced persistent threats – both of which firms would be unable to determine within a 24-hour period given the need for assistance and confirmation of attribution from federal agencies,” the group writes.
The letter, which was addressed to Mark Warner, the Chairman of the Senate Select Committee on Intelligence, and Marco Rubio, a ranking member, also claims the bill's provisions would interfere with cybersecurity requirements already on the books that impact their organizations.
The group stresses that banks are already under an obligation to report to groups like the Federal Reserve Board, the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, and the Securities and Exchange Commission, and that to ensure alignment with existing regulations, a more streamlined reporting process could be needed in which the aforementioned groups could work with CISA, too.
"Otherwise," the group says, "still more time will be spent by first responders working with firms’ legal and compliance teams to ensure that each agency’s requirement is met rather than focusing those efforts on protecting critical infrastructure.
The banking industry isn't the first group aiming to change provisions in the bill, a handful of big-name technology firms, Amazon, Google, and Oracle to name a few, represented by the Information Technology Industry Council, are reportedly putting their support behind a competing bill of sorts. According to a Wall Street Journal report last week, the group is putting together a bill for the House Homeland Security Committee; central to the bill is a 72-hour period for reporting data breaches.
While similar bills haven’t moved forward in Congress as of late, fallout from last year’s SolarWinds breach and this year’s Colonial Pipeline ransomware attack could put pressure on politicians to respond with a bipartisan effort sooner than later.
Even if neither bill moves forward there is clearly momentum mounting towards the passage of legislation designed to crack down on businesses that fail to properly respond to data breaches, putting further emphasis on the importance around quickly detecting and mitigating cyberattacks.