Skip to main content

Do the New Federal Cyber Reporting Mandates Affect You?

As of 2025, many businesses are required to follow new cybersecurity reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). 

These requirements apply to all entities operating within 16 critical infrastructures defined by the Cybersecurity & Infrastructure Security Agency (CISA). Failure to comply could result in penalties.

 

What counts as critical infrastructure?

According to CISA, a critical infrastructure sector has โ€œassets, systems and networks, whether physical or virtual, [that] are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.โ€

 

Critical infrastructure entities include those operating in these arenas:

Chemical sector

Commercial facilities

Communications

Critical manufacturing

Dams

Defense industrial base

Emergency services

Energy

Financial services

Food and agriculture

Government services and facilities

Health care and public health

Information technology

Nuclear reactors, materials and waste

Transportation systems

Water and wastewater

 

A swath of businesses and government entities across the American economy are impacted. If just one part of your organization operates or provides critical services in any of these sectors, your entire organization is expected to follow the cyber guidelines. Thatโ€™s even if your primary business is outside the 16 sectors.

If youโ€™re uncertain of your classification, your risk advisor can help you work through CISAโ€™s โ€œcovered entityโ€ decision tree. This can help you determine if CIRCIA reporting rules apply to your organization.

 

The new rules

Under the new rules, any entity operating within one of the critical infrastructures listed above must report all significant cybersecurity incidents and ransomware payments to CISA.

The requirements were introduced in CIRCIA, and organizations had until July 3, 2024, to submit their comments about the act as initially written. Until those comments are reviewed and any subsequent changes are approved, the law wonโ€™t be official. Still, the final outcome is expected to include two general parameters. Covered entities must:

Inform CISA of any significant cyber incidents within 72 hours

Reveal ransomware payments to CISA within 24 hours.

Applicable businesses and government should begin following all basic guidelines of the proposed law.

 

Whatโ€™s considered โ€œsignificantโ€?

Your organization likely faced some type of cyber threat today. It probably did yesterday and will again tomorrow as well. But more routine threats, like phishing emails or malware-infected links, are not the target of CIRCIA. While they may disrupt your organization, they donโ€™t pose a significant threat to infrastructure. In other words, they are unlikely to take down an entire sector.

CIRCIA requires reporting on only what it considers a โ€œsignificantโ€ or โ€œsubstantialโ€ cyber incident. To qualify, all of these factors must be true:

Your organization must have operations in at least one critical infrastructure sector (even if itโ€™s not the one involved in the cyber incident).

The compromise must lead to at least one of the following:

Substantial loss of confidentiality or data/system integrity

Serious impact on the safety and resilience of your operational systems and processes

Disruption of your operations or ability to deliver goods or services

Unauthorized access to your information system, network or nonpublic information caused by a supply chain compromise or breach of a cloud service provider, managed service provider, or other third-party provider that hosts data

The security incident must not just threaten, but actually cause one of the impacts, disruptions or losses listed above.

 

Why the law is needed

Critical infrastructure sectors worldwide face an almost constant threat of cyber attack. In 2023 alone, there were more than 420 million incidents, or 13 per second, according to Forescout Research โ€“ Vedere Labs. Thatโ€™s a 30% increase over 2022 levels. Better data can help change that trend. 

CIRCIA is not intended to put a spotlight on cyber victims or publicly shame organizations that fall prey to cybercriminals. The act specifies that any data collected from submitted reports cannot be used for regulatory enforcement.

Rather, CIRCIAโ€™s intent is instead to improve awareness and understanding of ongoing and evolving threats. It has four goals.

CISA and the cybersecurity community at large, including researchers, hardware and software developers, and IT departments, will be able to develop more appropriate responses to threats.

Windows of opportunity will shrink for cybercriminals.

CISA will be able to quickly deliver more targeted support to cybercrime victims.

Educational materials will evolve in real time to minimize the number of additional attacks.

 

Who will know about your incident reports?

All incident reports are considered confidential. There wonโ€™t be a CIRCIA database that people can peruse to find your organization. However, information in your report can be obtained via subpoena or a Freedom of Information Act request, so your organization is not shielded from all potential actions.

 

Reporting is to your advantage

The most obvious reason for following the CIRCIA guidelines is that failure to comply could result in a subpoena, suspension or exclusion from government contracts.

More important are the advantages of reporting. It may hasten the speed of support services available through CISA. It may prevent a subsequent attack. And it will improve the collective knowledge of cybercrime tactics and give critical infrastructure a better counterplan for protection. Insurers use federal mandates as a guideline for underwriting coverage, so the better your cyber hygiene, the better your terms and pricing for cyber insurance will be. 

 

The importance of cyber insurance

Discuss appropriate cyber liability coverage with your insurance agent. All organizations connected to the internet need cyber liability insurance. You may need directors and officers liability insurance as well. Your insurance agent or broker can help you craft a well-rounded set of policies. This will help ensure youโ€™re protected if a breach leads to claims against your organization.