The Treasury Department’s Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation seek comment on a joint proposal that would expand and hasten reporting requirements for computer security incidents.
Policymakers of the congressionally mandated Cyberspace Solarium Commission have called for a systematic way for critical private-sector entities to share cyber incidents toward gleaning more information about necessary defensive measures. A provision in the House-passed 2021 National Defense Authorization Act called for a Department of Homeland Security study of how to effectively establish such a system. But it was opposed by major industry groups—including the U.S. Chamber of Commerce—who argued it was unnecessary to secure government systems and information, and it was not included in the final bill.
But the vast majority of U.S. critical infrastructure is privately owned or operated, and according to a notice set to publish Tuesday in the Federal Register, current regulations don’t capture the full scope of events that could affect the financial stability of the United States or provide enough time for the agencies to appropriately respond.
The Gramm-Leach-Bliley Act, for example, sets the expectation that banking organizations notify their federal regulators “as soon as possible” if they become aware of “an incident involving unauthorized access to, or use of, sensitive customer information.” But there is a whole range of computer security incidents not included in that category.
Under the new rule, an incident requiring notification, or “notification incident,” may include “major computer-system failures, cyber-related interruptions, such as coor ..
Support the originator by clicking the read the rest link below.
