Institute of International Bankers joins coalition urging CISA to rescind and reissue proposed CIRCIA cyber incident reporting rule

The Institute of International Bankers, alongside the Bank Policy Institute, the American Bankers Association and the Securities Industry and Financial Markets Association, urged the Cybersecurity and Infrastructure Security Agency to withdraw and reissue its proposed cyber incident reporting rule under the Cyber Incident Reporting for Critical Infrastructure Act. The associations argue the proposal is overly broad, departs from congressional intent, and would impose burdens that divert resources from incident response and customer protection. The letter calls for limiting reporting to substantial incidents affecting critical services to avoid overwhelming regulators with low-value data, and for clarifying that requirements apply only to U.S. operations of financial institutions and not to incidents occurring entirely outside the United States. It also seeks more targeted collection of actionable information that firms “need to know” to prevent contagion, clearer and reduced supplemental status-update expectations, and a shorter period for retaining forensic data to avoid unnecessary costs. The associations asked CISA to work with industry to craft a revised rule that allows victim firms to focus on responding to attacks rather than prioritising government reporting.