CISA publishes cyber incident reporting proposal

Federally insured credit unions could be required to submit cyber incident reports within 72 hours following a new proposal from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).

The agency Wednesday posted a Notice of Proposed Rulemaking (NPRM) required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The legislation requires CISA to develop and implement regulations requiring covered entities – including federally insured credit unions “regulated by the NCUA” – to report covered cyber incidents and ransomware payments.

Credit unions would have to submit a Covered Cyber Incident Report to CISA no later than 72 hours after the covered entity reasonably believes the covered cyber incident occurred. The NCUA’s current cyber incident notification standard in Part 748 of its rules requires notice of a cyber incident within the same timeframe.

The proposal contains potential regulations for cyber incident and ransom payment reporting, as well as other rules designed to implement the CIRCIA’s statutory requirements.

Credit unions can provide feedback on the NPRM; it will have a 60-day comment period once published in the Federal Register.

America’s Credit Unions legacy organizations filed comments in response to the original request for information in 2022, and the organization will engage with the NCUA and CISA to ensure credit unions are able to utilize regulatory exceptions designed to prevent duplicative reporting regimes.

Scroll to Top