On July 2, 2024 the IIF submitted its response to the Cybersecurity and Infrastructure Security Agency's (CISA) Proposed Rule on Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The IIF acknowledges CIRCIA’s primary goal of preserving national security, economic security, and public health and safety amidst an increasingly sophisticated threat landscape. The response emphasizes the importance of voluntary networks for threat intelligence and incident information sharing within the financial sector, including the Financial Services Information Sharing and Analysis Center (FS-ISAC), the Analysis and Resilience Center for Systemic Risk (ARC), and commends the establishment of the Cyber Incident Reporting Council (CIRC) to harmonize reporting requirements.

The IIF notes the complexity of the reporting landscape and the many overlapping requirements at both the federal and state levels, and proposes several recommendations to streamline the Proposed Rule, by focusing on substantial cyber incidents with significant impacts on critical services and processes, and those most likely to cause material harm to the U.S. economy or national security; by clarifying that covered entities should be limited to those performing critical functions within a corporate group, not the entire parent organization or holding company; clarifying that reports should be submitted by the entity at the source of the incident, and that any required third-party incident data should be limited in scope; and both aligning reporting requirements with those of other U.S. authorities and reducing the need for numerous supplemental reports.

The IIF affirms its support of CIRCIA’s goals and emphasizes the need to balance reporting requirements with the practical realities of responding to cyber incidents. We encourage CISA to continue its information sharing and collaboration efforts with covered entities in order to enhance national cybersecurity, and the resilience of critical infrastructure sectors.