Author: John Farley


On March 27, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) announced their proposed rules for the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA).*

The CIRCIA legislation is aimed at enhancing the cybersecurity of critical infrastructure sectors and improving incident reporting to relevant government agencies.

While the proposed rules aren't expected to be finalized until at least 18 months from now, it's important for affected organizations to be familiar with the key aspects of the CIRCIA reporting requirements.

Cyber Incident Reporting for Critical Infrastructure Act highlights

Scope and applicability

CIRCIA applies to organizations operating in critical infrastructure sectors. If your organization falls within these sectors, it's important to understand the reporting obligations outlined in CIRCIA:
  • Chemical
  • Commercial facilities
  • Communications
  • Critical manufacturing
  • Dams
  • Defense industrial base
  • Emergency services
  • Energy
  • Financial services
  • Food and agriculture
  • Government facilities
  • Public health
  • Information technology
  • Nuclear reactors, materials and wastewater
  • Transportation systems
  • Water and wastewater systems

Reporting requirements

Under CIRCIA, organizations are required to report cyber incidents to CISA that meet certain criteria and within a specified timeframe. While the proposed rules contain some reporting exceptions, the reporting criteria include incidents that:

  • Result in unauthorized access to critical systems or data
  • Cause significant disruption to critical infrastructure operations
  • Involve ransomware or other malicious software targeting critical infrastructure
  • Result in physical harm or loss of life

Reporting timelines

CIRCIA mandates reporting cyber incidents to CISA within 72 hours "after the covered entity reasonably believes the covered cyber incident has occurred" and ransomware payments within 24 hours of the payment being made, unless payment is accompanied by an incident, in which case the organization has 72 hours to report.*

Incident reporting format

CISA is expected to provide guidelines on the specific reporting format and information required. However, organizations should be prepared to provide details such as the nature of the incident, affected systems, potential impact and any mitigation measures taken.

Protection of sensitive information

CIRCIA emphasizes the protection of sensitive information shared during incident reporting. Organizations should ensure that appropriate safeguards are in place to protect any proprietary or confidential information shared with CISA.

Collaboration with CISA

CIRCIA encourages collaboration between organizations and CISA to facilitate incident response and information sharing. Organizations should establish communication channels and points of contact to facilitate effective collaboration with CISA during incident reporting and response efforts.

Penalties for non-compliance

Failure to comply with CIRCIA reporting requirements may result in penalties, including fines and potential legal consequences. It's essential to prioritize compliance with CIRCIA to avoid any adverse consequences.

CISA's proposed incident reporting mandates add another layer of complexity to already daunting regulatory landscape governing when companies are required to report cybersecurity incidents. We recommend that organizations review current incident response plans and procedures to ensure compliance with CIRCIA reporting requirements. It's also advisable to stay updated on any guidelines or additional information provided by CISA regarding incident reporting under CIRCIA.

Cyber insurance impacts

The Cyber insurance market remains laser focused on threats to critical infrastructure. Concerns continue to focus on the potential for an attack or a system outage on a critical infrastructure target. A significant cyber attack against one of these could lead to a dreaded systemic loss, having a cascading impact on multiple insureds around the globe.

As a result, the Cyber insurance marketplace has addressed these concerns by changing coverage, in some cases restricting or excluding it. When reviewing Cyber insurance and other policies that may provide a mechanism to transfer cyber risk for critical infrastructure and those that rely on them, insureds should be mindful of several potential coverage pitfalls, including but not limited to:

  • Critical infrastructure exclusions that may eliminate coverage for all losses related to a specified critical infrastructure target
  • Catastrophic or widespread loss sub-limits and exclusions that may limit or exclude coverage for cyber losses that impact a large number of organizations
  • Contingent business interruption sub-limit or exclusionary language that may apply to organizations that were not direct targets, but suffer consequences of a critical infrastructure cyber attack
  • Cyber war exclusionary language that's generally being broadened and may contain ambiguous or undefined terms
  • Regulatory risks that may limit or exclude coverage for regulatory investigations, lawsuits, fines and settlements

Cyber insurance and other insurance policies may provide assistance to organizations that believe they may be impacted by losses related to these types of incidents, directly or indirectly either through vendor or supply chain relationships. Many stand-alone cyber policies provide access to crisis services, including breach coaches, IT forensics investigators and several other breach response experts. Those with Cyber insurance should be mindful of claim reporting obligations to Cyber insurance carriers, requirements to use insurance panel breach response vendors, evidence preservation and other issues that may affect attorney-client privilege.

If you have any questions or require further assistance in understanding and implementing CIRCIA reporting requirements, please contact us. We're here to support you in navigating these new obligations and strengthening your cybersecurity posture.

Author Information


*"Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting," Department of Homeland Security Cybersecurity and Infrastructure Security Agency, 4 Apr 2024. PDF file.