Extraordinary Leadership for North Dakota Banks
menu
menu
Advocacy
Strategic Partners
Education
NDBanks Benefit Trust
Communications
About
Events
Career Network
Sign In
Extraordinary Leadership for North Dakota Banks
About
Events
Career Network
Sign In
Advocacy
Ask Kennedy
Bank Exam Prep Center
Legislative Updates
Legal Publications
Legal Counsel
Legislative Committee
NDBankPAC
Advocacy Resources
Strategic Partners
Endorsed Vendors
Partner Resources
Business Partner Directory
Associate Member Listing
2024 Associate Member Guide
Associate Member Benefits
Associate Member Application
Sponsorship Opportunities
Advertising Opportunities
Education
2024 NDBA Ag Credit Conference
Peer Groups
Conferences
Schools
IT Certification Programs
Online Training
Financial Literacy
NDBanks Benefit Trust
NDBBT Board of Directors
Communications
News
NDBA Bulletin
Service Award Application
Directory
Advertising Opportunities
Bank Holiday Signs
Advocacy
Strategic Partners
Education
NDBanks Benefit Trust
Communications
Home
»
Communications
»
News
»
Proposed Rule to Require Reporting of Cyberattacks, Ransomware Payments
Proposed Rule to Require Reporting of Cyberattacks, Ransomware Payments
Posted:
Apr 03 2024
The Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security, has issued a notice of proposed rulemaking to implement a 2022 law requiring financial institutions and other “critical infrastructure” businesses to report cyber incidents and ransomware payments to the department and agency.
Under the proposal, regulated financial institutions and other critical infrastructure sectors would be required to report to DHS or CISA significant cyber incidents within 72 hours as well as any ransomware payments within 24 hours. They would also be required to “promptly” fill supplemental reports if “substantial new or different information” becomes available about the incident. The reporting requirements are in addition to existing computer security incident notifications that are required to be made to financial regulators within 36 hours and a new Securities and Exchange Commission requirement for publicly traded companies to report significant cyber incidents to the public within four business days.
The proposed 450-page rulemaking by CISA would implement the Cyber Incident Reporting for Critical Infrastructure Act, or CIRCIA, of 2022, which establishes reporting requirements for several sectors of the economy, including financial services. Covered entities would be required submit CIRCIA reports through the CIRCIA Incident Reporting Form available on CISA’s website or in any other manner approved by CISA’s director.
Cyber incidents that must be reported include denial-of-service attacks that render a cover entity’s services unavailable to customers for an extended period of time, cyberattacks that encrypt one of the entity’s core business systems or information systems, unauthorized access to an entity’s business systems caused by tampered software or compromised credentials, and ransomware attacks that lock an entity out of its industrial control systems. Reports must include contact information for the entity, a description of the affected systems, the effects on the entity’s operations, and more. Ransomware payment reports must include the data and amount of the payment, among other things.
To read more, visit:
https://www.cisa.gov/news-events/news/cisa-marks-important-milestone-addressing-cyber-incidents-seeks-input-circia-notice-proposed