ICBA called on the Cybersecurity and Infrastructure Security Agency to exempt community banks from new cyber reporting rules.

Background: The proposed rule would implement Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) reporting requirements for covered entities, with exemptions for smaller businesses. The law requires critical infrastructure owners to report substantial cyberattacks to CISA within 72 hours and ransomware payments within 24 hours.

Details: In a comment letter to CISA, ICBA said:

  • It generally supports the law and intent of CISA’s proposed rule, though community banks should be fully exempt.

  • The proposed CIRCIA rule would introduce unnecessary complexities and burdens on community banks, which are already legally obligated to report incident information to numerous governmental agencies, departments, and private organizations.

  • Given their size, limited share of financial sector assets, and low probability of causing national disruption, community banks should not be considered covered entities under the proposed rule.

ICBA Advocacy: As advocated by ICBA, CIRCIA directs CISA to rapidly share information on cyber threats, harmonize regulations to avoid duplicative reporting requirements, and include trade associations in its rulemaking outreach, among other ICBA priorities.