ICBA to CISA: Exempt community banks from cyber reporting proposal

ICBA called on the Cybersecurity and Infrastructure Security Agency to exempt community banks from new cyber reporting rules.

Background: The proposed rule would implement Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) reporting requirements for covered entities, with exemptions for smaller businesses. The law requires critical infrastructure owners to report substantial cyberattacks to CISA within 72 hours and ransomware payments within 24 hours.

Details: In a comment letter to CISA, ICBA said:

It generally supports the law and intent of CISA’s proposed rule, though community banks should be fully exempt.

The proposed CIRCIA rule would introduce unnecessary complexities and burdens on community banks, which are already legally obligated to report incident information to numerous governmental agencies, departments, and private organizations.

Given their size, limited share of financial sector assets, and low probability of causing national disruption, community banks should not be considered covered entities under the proposed rule.

ICBA Advocacy: As advocated by ICBA, CIRCIA directs CISA to rapidly share information on cyber threats, harmonize regulations to avoid duplicative reporting requirements, and include trade associations in its rulemaking outreach, among other ICBA priorities.

ICBA to CISA: Exempt community banks from cyber reporting proposal

NewsWatch Today Contacts

Independent Community Bankers of America

ICBA to CISA: Exempt community banks from cyber reporting proposal

NewsWatch Today Contacts

Related News

Treasury proposes expanded jurisdiction over transactions near military installations

Basel Committee moves forward on crypto standards

Survey: Almost all central banks are researching CBDC

SEC warns investors about crypto fraud