news.cuna.org/articles/121756-cisa-cyber-incident-reporting-requirements-are-beneficial-steps
Cybersecurity Safeguards

CISA cyber incident reporting requirements are ‘beneficial steps’

November 15, 2022

Cyberattacks and cybersecurity vulnerabilities pose significant threats to the financial system and CUNA is dedicated to supporting cybersecurity practices that mitigate these risks, it wrote to the Cybersecurity and Infrastructure Security Agency (CISA) Monday.

CISA issued a request for information on developing proposed regulations to implement the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). 

“CUNA’s surveys of member credit unions continue to rank cybersecurity as a top-priority, especially as malicious actors take advantage of the unprecedented global digital transformation which was accelerated by the COVID-19 pandemic,” the letter reads. “The cyber incident reporting requirements and information sharing mandated by the CIRCIA are beneficial steps that will hopefully provide actionable intelligence that critical infrastructure entities can use to bolster their defenses against cyberattacks.”

CUNA also recommends CISA:

  • Clearly define “covered cyber incident” and appropriately tailor the definition to capture only incidents with the potential to harm national security, economic security, or public health and safety.
  • Include comprehensive lists of reportable and non-reportable cyber incidents including commentary regarding the application of the rule to the included examples.
  • Develop a clear, streamlined, and accessible process for incident reporting that allows for a range of channels accounting for possible limitations in the covered entity’s capabilities following a reportable incident.
  • Prioritize existing reporting frameworks and sector-specific expertise in determining “substantially similar” reporting.
  • Focus on coordination with fellow agencies and regulators to which covered entities are already reporting cyber incident information; otherwise, the administrative burden and duplicative reporting requirements will overwhelm entities and impede the effective and efficient execution of cyber incident response programs.