The American Bankers Association and three financial sector associations today urged Trump administration officials to rescind and reissue a proposed rule requiring financial institutions and other “critical infrastructure” businesses to report cyber incidents and ransomware payments.
The Cyber Incident Reporting for Critical Infrastructure Act, or CIRCIA, of 2022 established reporting requirements for critical infrastructure entities in the economy, including financial services. The Cybersecurity and Infrastructure Security Agency last year proposed a rule to implement CIRCIA that required covered entities to report significant cyber incidents within 72 hours to the Department of Homeland Security or CISA as well as any ransomware payments within 24 hours.
ABA has previously argued the proposal was too stringent in its reporting requirements. In a letter to the heads of DHS and Office of Management and Budget, the associations reiterated those concerns, saying the rule “will have significant and detrimental repercussions if not substantially revised.”
“Unfortunately, CISA’s [proposed rule] envisions a wide-ranging incident reporting regime that meaningfully departs from Congressional intent and would divert the attention of cyber first responders away from the critical tasks of response and recovery,” the associations said. “This includes expansive thresholds for reporting that would capture de minimis outages to non-critical services and extensive data elements that, as currently drafted, will consume the finite time of critical personnel.”
“If appropriately calibrated, CIRCIA could significantly improve how critical infrastructure entities and the U.S. government defend against pervasive threats from hostile nation states,” the associations added. “As we move toward CIRCIA’s October 2025 statutory deadline for issuing a final rule, we would welcome an ongoing dialogue with you to strike the balance Congress intended ‘between getting information quickly and letting victims respond to an attack without imposing burdensome requirements.’”
