On March 15, 2022, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) was
signed into law. Under CIRCIA, “covered entities” (which includes banks and credit unions) are required to
report to the Cybersecurity and Infrastructure Security Agency (CISA) “covered cyber incidents” and
“ransom payments” within certain prescribed timeframes. Although CIRCIA was signed into law in 2022,
the law required the director of CISA (Director) to implement the CIRCIA reporting requirements through
rulemaking.
On April 4, 2024, CISA issued a proposed rule to implement CIRCIA’s cyber incident and ransom payment
reporting requirements (Proposed Rule). The Proposed Rule addresses the type of entities, the type of
incidents and the content of reports that will need to be submitted to CISA once a final rule is implemented.
Notably, under the Proposed Rule all banking or other organizations regulated by the Federal Reserve
Board (FRB), the Office of the Comptroller (OCC), the Federal Deposit Insurance Corporation (FDIC) or the
National Credit Union Administration (NCUA) would be subject to the Proposed Rule. Therefore, the
Proposed Rule sets forth new breach notification requirements that would be applicable to BCG Members.
Please join us at the May BCG Monthly Telephone Briefing where we will discuss the Proposed Rule.