CISA should coordinate with NCUA on CIRCIA reporting requirements

The Cybersecurity and Infrastructure Agency should work closely with the NCUA to coordinate cyber incident reporting in a manner least duplicative for credit unions, America’s Credit Unions Director of Innovation and Technology Andrew Morris wrote to CISA Wednesday. CISA issued proposed rules to implement requirements in the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), which was enacted in 2018.

CIRCIA requires CISA to implement a cyber incident reporting framework for critical infrastructure owners by 2025, with requirements to report “substantial” cyberattacks to CISA within 72 hours after forming a “reasonable belief” a covered incident has occurred, and any ransomware payments to CISA within 24 hours of payment.

“America’s Credit Unions supports the objective of timely and accurate cyber incident reporting; however, we urge CISA to recognize the reporting standards already applicable to credit unions and coordinate with the NCUA to ensure that the substantially similar reporting exception is something the industry can use to reduce administrative burden,” Morris wrote. “A streamlined reporting process that avoids redundancy will allow credit unions to focus their resources on mitigation and response activities rather than on duplicative compliance tasks.”

Morris adds that CISA should also:

  • Recognize the NCUA’s use of follow-up supervisory processes as substantially similar to supplemental reporting;
  • Establishing an enforceable CIRCIA Agreement with NCUA well before the effective date of a final rule. NCUA has already expressed a desire to closely coordinate with CISA to avoid future overlap and duplication; and
  • Allow the substantially similar reporting exception to operate if relevant state financial institution regulators have executed an agreement with CISA to share reports.
Scroll to Top