WASHINGTON—NAFCU and CUNA have each written letters to the Cybersecurity and Infrastructure Security Agency (CISA) in response to the organizations request for information (RFI) on implementing the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA).
In NAFCU’s letter the trade association noted NCUA recently issued aproposed rule to conform its cyber incident reporting requirements with CIRCIA’s framework.
In the letter, NAFCU Senior Counsel for Research and Policy Andrew Morris urged CISA to “recognize that the NCUA’s recently proposed cyber incident reporting standard already matches the 72-hour requirement for substantial cyber incidents,” reiterating “the need for harmonization with future CISA standards” and permit credit unions to take advantage of the “substantially similar” exception for direct reporting included in CIRCIA, which could permit the industry to follow the NCUA’s rules and report to one agency.
Additionally, NAFCU is asking CISA to limit administrative burden and duplicative reporting mechanisms, as credit unions are already subject to rigorous cybersecurity regulations that cover incident response activities.
CUNA’s Letter
Separately, in its letter, CUNA said its “surveys of member credit unions continue to rank cybersecurity as a top-priority, especially as malicious actors take advantage of the unprecedented global digital transformation which was accelerated by the COVID-19 pandemic.
“The cyber incident reporting requirements and information sharing mandated by the CIRCIA are beneficial steps that will hopefully provide actionable intelligence that critical infrastructure entities can use to bolster their defenses against cyberattacks,” the letter continued.
CUNA also recommended CISA:
- Clearly define “covered cyber incident” and appropriately tailor the definition to capture only incidents with the potential to harm national security, economic security, or public health and safety
- Include comprehensive lists of reportable and non-reportable cyber incidents including commentary regarding the application of the rule to the included examples
- Develop a clear, streamlined, and accessible process for incident reporting that allows for a range of channels accounting for possible limitations in the covered entity’s capabilities following a reportable incident
- Prioritize existing reporting frameworks and sector-specific expertise in determining “substantially similar” reporting
- Focus on coordination with fellow agencies and regulators to which covered entities are already reporting cyber incident information; otherwise, the “administrative burden and duplicative reporting requirements will overwhelm entities and impede the effective and efficient execution of cyber incident response programs.”
The Very Best in CU Reporting. Every Morning. To Your Inbox. At a Price Every CFO Will Love.
Don’t forget to check your Spam/Junk email folder if you haven’t been receiving your free, popular and daily CUToday.info news headlines.
And if you haven’t yet signed up for the new email solution on which CUToday.info has partnered with ResponseGenius, you can do so here. Signing up requires less than one minute of your time.
CUToday.info has received very positive response from readers following the move to an improved provider of the daily headlines, but many also noted they did need to go to their Spam/Junk folder and mark it as safe.
The new email solution has not only improved every reader’s delivery experience, but it also features a fresh, new format that is easy to read, especially on mobile devices.
Please note and/or make your IT department or email administrator aware the emails will be coming from the domains CUTodayinfo.com and CUTodayinfoReply.com.