FoxPointe Cyber Alert: New Proposed Incident Reporting Requirements for Financial Institutions

This article was written by Christopher Salone, CISA, CCSFP.

The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) recently released a Notice of Proposed Rule Making (NPRM) detailing the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). This proposal mandates that companies report cybersecurity incidents and ransomware payments within strict timelines. Public comments on the NPRM are open until June 3, 2024, and the Final Rule is expected by October 4, 2025.

The forthcoming regulations would require covered entities to inform the federal government of certain cyber incidents within 72 hours of detection and/or within 24 hours of ransomware payment. Financial Institutions are among the entities that would be considered a covered entity under the proposal and would need to comply with the requirements.

The proposed rule outlines several examples of incidents that would require reporting under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). Those include:

1. Distributed Denial-of-Service (DDoS) Attack: Any cyber incident that renders a covered entity's service unavailable for an extended period due to a DDoS attack would be reportable.
2. Ransomware Attack: If a cyber incident involves ransomware that encrypts a covered entity's core business systems or information systems, it must be reported.
3. Potential Hazardous Material Release: A cyber incident that significantly increases the potential for a release of hazardous material, such as in chemical manufacturing or water purification, would be reportable.
4. Critical Infrastructure Disruption: Incidents that compromise or disrupt systems involved in Bulk Electric Systems (BES) or disrupt communication services for emergency alerts or 911 calls, or result in false emergency alerts, must be reported.
5. Extended Downtime or System Compromise: Any cyber incident that disrupts a covered entity's information system or network for an extended period or involves unauthorized access to business systems would be reportable.
6. Lockout from Industrial Control System (ICS): A ransomware attack that locks a covered entity out of its industrial control system would require reporting.
7. Unauthorized Access through Software Compromise: If unauthorized access to a covered entity's business systems occurs due to the automated download of tampered software updates, it must be reported.
8. Compromised Credentials from Managed Service Provider (MSP): Unauthorized access to a covered entity's business systems using compromised credentials from a managed service provider would be reportable.
9. Unauthorized Data Exfiltration: Intentional unauthorized exfiltration of sensitive data, such as through compromise of identity infrastructure or unauthorized downloading to storage accounts, would require reporting.

While not yet finalized, FoxPointe recommends reviewing your current incident response plans and breach notification programs to begin preparations for potential adjustments. Ensuring your information security program can detect, protect, respond, and recover from cyber incidents is critical. Institutions should also ensure that their third parties also have robust cybersecurity policies and incident response programs.

Please contact FoxPointe Solutions with any questions you may have.

The proposed rule can be found here: https://dd80b675424c132b90b3-e48385e382d2e5d17821a5e1d8e4c86b.ssl.cf1.rackcdn.com/external/2024-06526-1.pdf

This material has been prepared for general, informational purposes only and is not intended to provide, and should not be relied on for, tax, legal or accounting advice. Should you require any such advice, please contact us directly. The information contained herein does not create, and your review or use of the information does not constitute, an accountant-client relationship.