Priya Patel
TLDR:
- Industry trade groups and lawmakers argue that CISA’s draft cyber incident reporting rule is too broad.
- The rule would require critical infrastructure companies to report significant cyber incidents within 72 hours and ransomware payments within 24 hours.
A draft rule for cyber incident reporting faced significant pushback during a House hearing, with industry groups representing electric, telecommunications, and finance sectors stating that the requirements are excessive. The 447-page draft rule, released in March, aims to improve the government’s understanding of the cyber landscape. However, witnesses expressed concerns that the rule is too broad, potentially overwhelming CISA with reports and hindering smaller organizations. Lawmakers also agreed that the reporting requirements should be more focused and harmonized with existing mandates.
Witnesses criticized CISA’s ability to handle the influx of data and questioned the agency’s subject matter expertise. They also highlighted the challenges of ensuring the security of sensitive data. Industry representatives emphasized the importance of balancing regulatory requirements with collaborative relationships between organizations and agencies. The final version of the rule may be significantly altered based on the feedback received during the hearing.
