Industry Pushes to Streamline Cyber Regulations
Industry leaders are urging Congress to address redundant cybersecurity regulations that they argue create unnecessary compliance burdens. In testimony, Heather Hogsett of BITS stated that overlapping frameworks divert resources from substantive risk reduction. The push for harmonization is reportedly gaining traction among lawmakers, which could lead to a recalibration of compliance costs and risk assessment methodologies.
- A recent analysis using AI to review 304 federal cybersecurity regulations found that 76% were functionally duplicative across two or more agencies. This overlap leads to an estimated 40% of industry cyber budgets being directed toward compliance rather than active risk mitigation. - In a survey, chief information security officers from financial institutions reported spending 30% to 50% of their time on compliance and managing examinations. Their teams can spend up to 70% of their time on these functions instead of focusing on defending networks. - The "Streamlining Federal Cybersecurity Regulations Act" has been introduced in both the House and Senate by a bipartisan group including Senators Gary Peters (D-MI) and James Lankford (R-OK), and Congressman Clay Higgins (R-LA). The bill proposes creating an interagency committee led by the Office of the National Cyber Director to harmonize conflicting rules. - Specific regulations targeted for review include the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) and the SEC's Cyber Incident Disclosure Rule. Industry groups argue that the public disclosure of ongoing incidents could expose vulnerabilities to other malicious actors. - Financial institutions currently face more than 10 separate cyber incident reporting mandates in the United States alone. They are also subject to examinations by multiple agencies, including the Office of the Comptroller of the Currency, the Federal Reserve, and the FDIC. - A 2020 Government Accountability Office (GAO) report found that conflicting cybersecurity requirements from four different federal agencies had conflicting parameters for states, with inconsistencies in 49% to 79% of the requirements. - To address the compliance burden, the Financial Services Sector Coordinating Council (FSSCC) developed the Cybersecurity Profile. This framework, based on the NIST Cybersecurity Framework, consolidates over 2,300 regulations into a single self-assessment to standardize risk evaluation. - The push for harmonization also includes a call to reauthorize the Cybersecurity Information Sharing Act of 2015. This act provides liability protections to encourage the sharing of cyber threat information between the private sector and the government.
