A group of industry cybersecurity leaders told lawmakers today that harmonizing “overlapping and inconsistent” government cybersecurity regulations would help reduce the administrative burden on their cyber workforces and free up additional resources for fighting threats.
Patrick Warren, the VP of regulatory technology at the Bank Policy Institute, told members of the House Oversight and Accountability Cybersecurity, IT, and Government Innovation Subcommittee that cyber teams in the finance sector spend more than 70 percent of their time on regulatory compliance activities.
“Diverting finite cyber resources in this way leaves less time for risk mitigation activities and strategic security initiatives to fortify firm defenses moving forward,” Warren said during his opening statement of the hearing.
Rep. Nancy Mace, R-S.C., chairwoman of the subcommittee, highlighted that cyber regulation harmonization is a challenging problem, and the Federal government still has a long way to go on that front.
With the release of its National Cybersecurity Strategy Implementation Plan last July, the White House Office of the National Cyber Director (ONCD) kicked off its work to create a harmonization framework that represents reciprocity of baseline cyber requirements that are aligned across all critical infrastructure sectors.
Early last month, ONCD announced it is building a pilot reciprocity framework to be used in a critical infrastructure subsector which will give ONCD “valuable insights” into how to best design a harmonized cybersecurity regulatory approach.
Sens. Gary Peters, D-Mich., and James Lankford, R-Okla., also introduced the ‘‘Streamlining Federal Cybersecurity Regulations Act” earlier this month to require the NCD to head a harmonization committee, which would be tasked by Congress with harmonizing Federal cybersecurity regulations.
The witnesses during today’s hearing noted that Congress should designate a single entity to lead cybersecurity regulation harmonization – like ONCD, the Cybersecurity and Infrastructure Security Agency (CISA), or the National Institute of Standards and Technology (NIST).
Maggie O’Connell, director of security, reliability and resilience at the Interstate Natural Gas Association of America, pushed strongly for CISA to serve in this leadership role, noting that Federal agencies operate in silos which leads to an “increase [in] administrative burdens for coordinating with and meeting requirements of these respective agencies.”
John Miller, the VP for policy, trust, data, and technology at ITI, noted that Congress will now need to provide “precise cyber authorities and clear directions to the Federal agencies to implement and enforce future rules” due to the Supreme Court’s recent decision to overturn the Chevron deference provided to Federal agencies.
Inconsistency in Cyber Incident Reporting Remains top Challenge
Rep. Mace questioned the panelists on what piece of legislation they want to see from Congress first to aid in cyber regulation harmonization, and nearly all said that inconsistent cyber incident reporting rules in their sector remains a challenge.
“If you could just do one thing – one bill, one policy, one regulation, one piece of legislation – what is that one thing? Because [Congress is] so big, we are so bureaucratic, comprehensive policy, it just ain’t gonna happen,” the chairwoman said. “It’s not going to happen in the next decade because we’re not nimble anymore. We don’t move that fast, unfortunately.”
Warren noted that cyber incident reporting has been a particular challenge for financial institutions.
“These requirements often have slightly different definitions, timeframe for reporting, and information requirements,” he said. Warren said the finance sector has to file at least five “similar but distinct” reports for the same cyber incident, which “takes a lot of time from frontline cyber personnel [and] leaves less time for day-to-day security.”
In his opening statement earlier in the hearing, Warren highlighted that only about 30 percent of the finance sector’s reports are able to be reused, which causes a distinct amount of administrative burden on cyber personnel.
CISA is expected to publish its finalized Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) by the beginning of 2026, which will implement regulations requiring covered entities to report cyber incidents and ransomware payments to the government.
Under the law, critical infrastructure owners and operators are obligated to report certain cyber incidents to CISA within 72 hours, and to report ransomware payments they made to attackers within 24 hours.
“CISA has been tasked with harmonizing cyber regulations under CIRCIA. Unfortunately, with their recent proposed rule to implement that legislation, it seems they’ve taken an expansive approach to implementing that law,” Warren told Rep. Mace. “We provided comment with a number of other financial trades encouraging them to better leverage existing requirements.”
