A group of 47 business organizations has sent a letter to Congressional leaders urging them to remove a section from the Senate’s Cybersecurity Information Sharing Act (CISA) that they say would give the Department of Homeland Security and other regulatory agencies direct regulatory authority over financial services firms.
The provision they oppose applies to critical infrastructure, in which a “cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.” The groups fear that this section could lead to mandatory, rather than voluntary, incident reporting and also allow agencies to prescribe cybersecurity practices for covered entities.