07.12.24
Companies Sharply Criticize Draft U.S. Cyber Reporting Rules
by: James Rundle
Companies urged the U.S. government to rethink its rules for reporting cyberattacks, saying that a draft proposal from a federal agency is confusing, overly broad and often duplicates existing rules. The proposed rules from the Cybersecurity and Infrastructure Security Agency (CISA), published in the Federal Register in April, would mandate critical infrastructure companies report substantial cybersecurity incidents within 72 hours and ransom payments within 24 hours. Financial trade associations said the term “substantial cyber incident” is so loosely defined that CISA risks being overwhelmed with reports for relatively minor issues, as their members will likely err on the side of caution and over-report. The lobby groups, which include the Securities Industry and Financial Markets Association, the American Bankers Association, the Bank Policy Institute and the Institute of International Bankers, also urged the agency in a joint letter to clarify how the rules would affect companies when their suppliers suffer an outage due to a cyberattack and the obligations on their members’ international units.
Read the full article on The Wall Street Journal