.svg)
A coalition of US banking associations has requested that a proposed rulemaking on cyber incident reporting be withdrawn, claiming that it “diverges” from Congressional intent and imposes “unnecessary burdens” on firms.
Last week, the American Bankers Association (ABA), Bank Policy Institute (BPI) and the Institute of International Bankers (IIB) wrote to White House staff to request that the rule be rescinded and reissued.
The proposed rulemaking is the set of reporting requirements that will implement a key piece of legislation known as the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA).
The Cybersecurity and Infrastructure Security Agency (CISA) is responsible for crafting CIRCIA’s reporting requirements, which will require covered entities to report covered cyber incidents and ransomware payments to CISA.
In turn, these reports are expected to empower CISA to provide assistance to victims of cyber-attacks faster and more effectively.
The reports will also allow CISA to analyse incoming cyber incident activity across sectors to spot trends, and to quickly share that information with network defenders to warn other potential victims.
However, CISA’s 133-page proposed rulemaking, issued in April 2024, has proved unpopular with banks, which are concerned about the rule’s “wide-ranging” and “burdensome” requirements.
“We believe the proposed rule will have significant and detrimental repercussions if not substantially revised,” the associations wrote
“As such, we ask that you work with industry to craft a new rule that allows a victim company to focus its resources on responding to an attack rather than filing government reports.”
Diverging from Congressional intent
When Congress was considering CIRCIA, the associations said they supported the legislation in principle, as it sought to establish a uniform incident reporting standard across all critical infrastructure sectors.
They believed that this would provide CISA with the necessary information to better defend against future cyber-attacks, which would benefit the banking industry in particular.
The associations now accuse CISA of “meaningfully departing” from the intent of CIRCIA, and of diverting the resources of cyber defenders away from critical response and recovery activities.
“This includes expansive thresholds for reporting that would capture de minimis outages to non-critical services and extensive data elements that, as currently drafted, will consume the finite time of critical personnel,” they said.
“It is therefore vital that CISA issue a new proposed rule that is not only more consistent with Congressional intent, but will also achieve CIRCIA’s central purpose to ‘enhance the situational awareness of cybersecurity threats across critical infrastructure sectors’.”
The associations’ letter also quoted several Congressional leaders who share the view that CISA’s notice of proposed rulemaking (NPRM) undermines CIRCIA’s intent.
Representative Andrew Garbarino (R-NY) said the proposed rulemaking “ignores the burden” to industry and would cause compliance workloads to “skyrocket”, if adopted in its current form.
Senator Gary Peters (D-MI) also said the rulemaking “fails” to reflect both Congressional intent and the recommendations of those covered by the law.
Next steps
CISA is currently working towards an October 2025 statutory deadline for issuing a final rule.
The banking associations requested that the agency commit to further dialogue with industry stakeholders as soon as possible.
“If appropriately calibrated, CIRCIA could significantly improve how critical infrastructure entities and the US government defend against pervasive threats from hostile nation states,” they said.
“We would welcome an ongoing dialogue with you to strike the balance Congress intended between ‘getting information quickly and letting victims respond to an attack without imposing burdensome requirements’.”
