Cybersecurity Reporting Chaos Strains Financial Institutions
July 26, 2024 | Oversight and Reform: House Committee, Standing Committees - House & Senate, Congressional Hearings Compilation, Legislative, Federal
This article was created by AI summarizing key points discussed. AI makes mistakes, so for full details and context, please refer to the video of the full meeting. Please report any errors so we can fix them. Report an error »
During a recent government meeting, officials highlighted the complexities surrounding cyber incident reporting for financial institutions. The current framework requires institutions to navigate a series of distinct reporting obligations to various regulatory bodies, which can be cumbersome and time-consuming.
For instance, if a financial institution experiences a reportable cyber incident, it must notify the Federal Housing Administration within 12 hours, inform its primary banking regulator within 36 hours, and alert Ginnie Mae within 48 hours. Additionally, a detailed report must be submitted to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours, followed by a public disclosure to the Securities and Exchange Commission (SEC) within four business days. This multi-step process can detract from frontline cyber personnel's ability to focus on day-to-day security measures.
Officials suggested that streamlining the reporting process could enhance efficiency. One proposed solution is to have institutions report incidents directly to CISA, which would then distribute the information to the relevant agencies. CISA has been tasked with harmonizing cybersecurity regulations, and recent proposed rules indicate a commitment to simplifying these requirements. Feedback from financial trade groups and leaders in the House Homeland Security Committee and Senate HSGAC supports this initiative, emphasizing the need for better integration of existing reporting requirements.
For instance, if a financial institution experiences a reportable cyber incident, it must notify the Federal Housing Administration within 12 hours, inform its primary banking regulator within 36 hours, and alert Ginnie Mae within 48 hours. Additionally, a detailed report must be submitted to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours, followed by a public disclosure to the Securities and Exchange Commission (SEC) within four business days. This multi-step process can detract from frontline cyber personnel's ability to focus on day-to-day security measures.
Officials suggested that streamlining the reporting process could enhance efficiency. One proposed solution is to have institutions report incidents directly to CISA, which would then distribute the information to the relevant agencies. CISA has been tasked with harmonizing cybersecurity regulations, and recent proposed rules indicate a commitment to simplifying these requirements. Feedback from financial trade groups and leaders in the House Homeland Security Committee and Senate HSGAC supports this initiative, emphasizing the need for better integration of existing reporting requirements.
Don't Miss a Word: See the Full Meeting!
Go beyond summaries. Unlock every video, transcript, and key insight with a Founder Membership.
✓
Get instant access to full meeting videos
✓
Search and clip any phrase from complete transcripts
✓
Receive AI-powered summaries & custom alerts
✓
Enjoy lifetime, unrestricted access to government data
30-day money-back guarantee
