In 2022, the Cyber Incident Reporting for Critical Infrastructures Act (CIRCIA) was signed into law requiring the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring certain entities from critical infrastructure sectors, known as “covered entities”, to report significant cyber incidents and ransomware payments. The new incident reporting requirements are expected to enable CISA to assist covered entities that fall victim to cyberattacks, understand how cyberattacks are impacting different critical infrastructure sectors and share information on potential attacks across these sectors.
Related: Cybersecurity experts discuss what's driving today's "overwhelming" third-party risk landscape
Earlier this year CISA published a Notice of Proposed Rulemaking and DTCC provided comments on the proposed rule. Kelly Feili, DTCC Director, Operational and Technology Risk (OTR) Advocacy, sat down with DTCC Connection to share her insights and a deeper look into CIRCIA and its impact on the financial services industry.
DC: DTCC and the financial services sector provided comments to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). What are DTCC’s views of the CIRCIA?
KF: DTCC and the financial services sector are supportive of CISA’s mission to develop a coordinated, informed U.S. response to attacks against U.S. critical infrastructure. DTCC recognizes the importance of CISA gaining the ability to better identify trends and track cyber threat activity across the cyber threat landscape with impacts to national security. As the cyber threat landscape continues to evolve at a rapid pace, DTCC, like the sector, is committed to helping CISA achieve their objectives.
However, DTCC believes several of the proposed requirements do not strike the right balance between CISA getting the right information quickly and the level of burden put on covered entities. DTCC submitted comments that aim to address this disparity, focusing on scope and contents of the reporting requirements and indicating areas that could align with existing requirements.
DC: Many comment letter responses focused on the definition of “substantial cyber incident”. Why is this definition important and what changes were suggested from DTCC?
KF: The substantial cyber incident definition drives the scope of which cyber incidents covered entities will be required to report. Therefore, getting this definition right is critical to achieving CISA’s desired outcomes and ensure the reporting burden aligns with the severity of the incident. If there is ambiguity or uncertainty, covered entities, in addition to CISA, may be forced to spend valuable resources on reporting activities that are unlikely to achieve CISA’s objectives.
The intent of the definition is to limit incident reporting requirements to only incidents that would have a substantial impact to a critical entity. However, there were several aspects of the proposed definition that would expand the scope beyond substantial cyber incidents. Additionally, certain aspects of the definition would create regulatory uncertainty and challenges for covered entities, particularly the requirements related to reporting incidents that originate at certain third parties or through the supply chain.
DTCC made the following recommendations to address these concerns:
- Ensure each element of the definition includes a materiality threshold. Part of the proposed definition of substantial cyber incident seemingly creates an expectation that a cyber incident that causes any level of disruption to business operations would need to be reported, including incidents that lead to minor disruptions, or any incident that originates at certain third parties regardless of impact.
- Specify in the final rule that covered entities are required to only report on information available at the covered entity and not seek incident information directly from cloud service providers, managed service providers or third-party data hosting providers.
DC: There are many regulatory incident reporting frameworks. What makes this framework different from other regulatory incident reporting frameworks?
KF: When addressing concerns in the CIRCIA proposal, DTCC kept in mind that CISA’s objectives are different than our financial regulators’ objectives and, therefore, the reporting requirements will never fully align. DTCC recognizes that CISA will want more incident information to understand who the threat actor is and more specific technical information about the incident, something our regulators do not typically seek. Even still, DTCC and others in the financial services sector believe CISA can better align to existing incident reporting requirements, particularly in the early stages of the incident.
DC: DTCC has long partnered with the financial services sector to compose responses to cyber and resilience regulatory proposals. Why is this important?
KF: Having a unified industry voice is important to shape practical regulation that meets regulators’ objectives while being achievable for financial institutions. DTCC participates in several forums that open opportunities for discussing and reviewing the benefits and potential challenges of proposed rules and legislations with other financial institutions. DTCC and other institutions across the industry provide needed insights that are often received positively by financial regulatory authorities and help ease compliance burdens and enhance the resilience of individual institutions and the financial services sector as a whole.