MSCI, National Association Of Manufacturers Raise Concerns About Trade Association Cyber Reporting Requirements
The Metals Service Center Institute (MSCI), the National Association of Manufacturers (NAM), and dozens of other trade associations recently wrote a letter to the U.S. Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) regarding proposed cybersecurity incident reporting regulations for critical infrastructure. The letter expressed concerns about the rules, which, if implemented, would require critical infrastructure entities to report their cybersecurity incidents to DHS.
The regulations, which could affect not only trade associations, but more than 300,000 U.S. entities, are too expansive, mandating the reporting of incidents that do not even affect the operation of critical infrastructure. If implemented, they also would require huge amounts of information to be provided in a short period from organizations that are trying to recover from devastating cyberattacks.
The letter seeks clarification that trade associations would not be considered critical infrastructure entities even if they represent companies that own and operate critical infrastructure. “The proposed rule’s definition of covered entity includes ‘any person, partnership, business, association, corporation, or other organization’ that operates ‘in a critical infrastructure sector,’” the letter said. “We are concerned that this broad definition, combined with the inclusion of ‘association’ in the list of entity types, could be misconstrued to ensnare associations like ours that serve members within critical infrastructure sectors but which do not own or operate any critical infrastructure.”
While trade associations like MSCI prioritize efforts to protect their information systems and networks from cyber intrusions, the letter noted trade associations’ work “does not include the ownership or operation of critical infrastructure systems or assets, any potential cybersecurity incidents would not implicate homeland security and thus are irrelevant to CISA’s statutory mandate.”
The letter concluded, “Subjecting trade associations to CIRCIA’s reporting requirements thus would be a clear violation both of congressional intent and of the plain language of the statute.” Read the full letter here.
In addition to clarifying and narrowing the scope of “covered entities,” CISA should revise several aspects of the rulemaking, including by:
- Limiting the volume of reported cyber-incident information;
- Narrowing the scope of reportable cyber incidents; and
- Lightening and safeguarding the contents of cyber-incident reports.