On March 15, 2022, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) was
signed into law. Under CIRCIA, “covered entities” (which includes banks and credit unions) are required to
report to the Cybersecurity and Infrastructure Security Agency (CISA) “covered cyber incidents” and
“ransom payments” within certain prescribed timeframes. Although CIRCIA was signed into law in 2022,
the law required the director of CISA (Director) to implement the CIRCIA reporting requirements through
rulemaking.
On April 4, 2024, CISA issued a proposed rule to implement CIRCIA’s cyber incident and ransom payment
reporting requirements (Proposed Rule). The Proposed Rule addresses the type of entities, the type of
incidents and the content of reports that will need to be submitted to CISA once a final rule is implemented.
Notably, under the Proposed Rule all banking or other organizations regulated by the Federal Reserve
Board (FRB), the Office of the Comptroller (OCC), the Federal Deposit Insurance Corporation (FDIC) or the
National Credit Union Administration (NCUA) would be subject to the Proposed Rule. Therefore, the
Proposed Rule sets forth new breach notification requirements that would be applicable to BCG Members.
Please join us at the May BCG Monthly Telephone Briefing where we will discuss the Proposed Rule.
Questions will be welcome. Handout to be posted on Thursday, May 16th.
Friday, May 17, 2024
12:00 - 1:30 p.m.
On March 27, 2024, the U.S. Department of Treasury (Treasury) released a report entitled “Managing
Artificial Intelligence-Specific Cybersecurity Risks in the Financial Services Sector” (the “AI Risk Report”).
The AI Risk Report was written pursuant to Presidential Executive Order 14110.
The AI Risk Report provides an overview of the state of artificial intelligence (AI) in the financial services
sector (including banks and credit unions) and the various security and resiliency challenges that AI
presents. The AI Risk Report also highlights AI-specific cybersecurity threats and describes some best
practices that could be deployed to mitigate these AI related risks. While the regulatory landscape around
AI is still evolving, the AI Risk Report includes some helpful information institutions might want to consider
when developing their approach to AI.
Please join us at the May Monthly Telephone Briefing when we will discuss the AI Risk Report.
Handout to be posted on Thursday, May 16th.