ICBA-backed updates included in cyber reporting bill

Lawmakers reached an agreement on bipartisan cyber incident reporting legislation that includes ICBA-advocated updates to avoid excessive burdens on community banks.

Background: Based on the Cyber Incident Reporting Act (S. 2875), the amendment to the fiscal 2022 National Defense Authorization Act would:

  • Establish a cyber incident response office at the Cybersecurity and Infrastructure Security Agency.

  • Require critical infrastructure, including financial institutions, to report cyber incidents within 72 hours.

ICBA-Backed Changes: As ICBA advocated in a letter to lawmakers last month, the legislation:

  • Directs CISA to rapidly share information on cyber threats.

  • Requires reporting of “substantial” cyber incidents, not potential or minor incidents.

  • Requires CISA to harmonize regulations to avoid duplicative reporting requirements.

  • Directs CISA to account for the size and complexity of cyber incidents in imposing penalties.

  • Includes liability protections.

  • Requires CISA to include trade associations in its rulemaking outreach.

What’s Next: The amendment will be considered by the House and Senate conference committee, which is meeting to resolve differences between each chamber’s versions of the NDAA. Once a final compromise is agreed to, the legislation will be voted on for final passage.