A group of financial organizations has urged CISA to reconsider its proposed implementation of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). The organizations, including the American Bankers Association and the Bank Policy Institute, argue that the current rules would impose unnecessary burdens on companies already dealing with cyber incidents. They believe that the rule, which requires cybersecurity incidents to be reported within 72 hours, could divert resources away from critical response efforts. The groups urge CISA to revise the proposed regulations, ensuring that they do not disrupt recovery processes for affected organizations.
CIRCIA, signed into law in March 2022, mandates that covered entities report major cybersecurity incidents within a 72-hour window.
Additionally, the law requires reporting of ransomware payments within 24 hours. In response to public feedback, CISA proposed rules for implementing CIRCIA, which are set to take effect in October 2025. These rules aim to standardize incident reporting across all critical infrastructure sectors, impacting over 300,000 entities. However, the proposed regulations have drawn criticism from industry groups who feel they undermine the original intent of the law.
The financial organizations express concern that the proposed rules would force companies to focus on government reporting instead of addressing the immediate consequences of cyberattacks.
According to their open letter to CISA, the organizations argue that the rule would hinder response and recovery efforts by demanding extensive reporting in the midst of an ongoing crisis. They urge CISA to collaborate with industry representatives to create a more balanced rule that better aligns with the needs of companies facing cyber threats. The organizations also emphasized the importance of allowing victims to focus on managing incidents rather than navigating additional regulatory hurdles.
The financial organizations have requested that CISA revise the proposed rulemaking before the statutory deadline in October 2025. The group believes that with proper revisions, the rules can achieve the goal of enhancing cybersecurity reporting without imposing undue strain on affected organizations. CISA’s proposed rules have raised concerns about the long-term impact of compliance on critical infrastructure sectors. As cybersecurity experts warn of increased scrutiny and legal challenges to laws like CIRCIA, the group emphasizes the need for clear, effective regulations that support both incident response and transparency.
Reference:
