A group of financial organizations sent an open letter to the US cybersecurity agency CISA, urging it to rescind and reissue the proposed implementation of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).
CIRCIA, which was signed into law in March 2022, requires covered entities to report any major cybersecurity incident within 72 hours, and to report ransomware payments within 24 hours of making the payment.
Last year, CISA asked for public comment on a proposed rulemaking, saying that CIRCIA would lead to better understanding of cyber threats and that the cyber incident reporting rule would likely impact roughly 316,000 entities.
CISA’s proposed rules to implement CIRCIA are set to enter effect in October 2025, but the American Bankers Association, Bank Policy Institute, Institute of International Bankers, and the Securities Industry and Financial Markets Association believe that it would have detrimental repercussions in its current form.
According to the advocacy group, while CIRCIA is expected “to establish a uniform incident reporting standard across all critical infrastructure sectors,” CISA’s notice of proposed rulemaking (NPRM) departs from the initial intent and requires organizations to divert resources from response and recovery.
“We ask that you work with industry to craft a new rule that allows a victim company to focus its resources on responding to an attack rather than filing government reports,” reads the open letter (PDF) from the financial organizations.
Citing public figures voicing concerns over CISA’s NPRM missing the mark and adding additional burden on the covered entities, the group requests that CISA adjusts the proposed rulemaking ahead of CIRCIA’s October 2025 statutory deadline for issuing a final rule.
“We would welcome an ongoing dialogue with you to strike the balance Congress intended ‘between getting information quickly and letting victims respond to an attack without imposing burdensome requirements’” the open letter reads.
As Reuven Aronashvili, founder and CEO at CYE, recently told SecurityWeek, this is exactly the type of challenges that regulations could face in 2025, when “introducing uncertainty for organizations working to meet cybersecurity compliance standards”.
“For example, laws such as CIRCIA, which requires prompt reporting of cyber incidents, could come under increased scrutiny and legal disputes. This may disrupt the consistency and dependability of reporting obligations, posing challenges for CISOs in developing effective response strategies,” Aronashvili said.
Related: Bipartisan Bill to Tighten Vulnerability Disclosure Rules for Federal Contractors
Related: Supreme Court Ruling Threatens the Framework of Cybersecurity Regulation
Related: US Issues Final Rule for Protecting Personal Data Against Foreign Adversaries
Related: New Rules for US National Security Agencies Balance AI’s Promise With Need to Protect Against Risks