Click to toggle navigation menu.

CIRCIA and Cyber Insurance: What the Reporting Law Means for Your Coverage

< BACK

By Ryan Windt | Head of Growth Marketing | Updated June 2026

The Cyber Incident Reporting for Critical Infrastructure Act is now law, and its reporting timelines are not suggestions. When CISA’s final rules take effect, covered entities that experience a significant cyber incident will have 72 hours to report it to the federal government. Ransomware payments must be reported within 24 hours.

Those timelines begin running from the moment of discovery, not from the completion of forensic investigation, not from the time you fully understand the scope of what happened, and not from the point at which you have legal counsel engaged. Discovery starts the clock.

For organizations that carry cyber insurance, CIRCIA changes several things. It affects how quickly incident response resources need to be deployed, what your policy needs to cover in terms of regulatory defense, and how your claims process has to be structured to keep pace with federal reporting obligations. Organizations that have not reviewed their coverage with CIRCIA in mind may find that their policy does not actually support the compliance requirements they are now subject to.

This post explains what CIRCIA requires, which organizations it covers, and what the law means for how you structure and use cyber insurance.

What CIRCIA Actually Requires

CIRCIA was signed into law in March 2022. CISA has been developing the implementing regulations since then, with the rulemaking process extending into 2025 and 2026. The law establishes two primary reporting obligations for covered entities.

Significant cyber incident reporting. Covered entities must report significant cyber incidents to CISA within 72 hours of reasonably believing a significant incident has occurred. CISA’s rulemaking defines “significant” to include incidents that lead to substantial loss of confidentiality, integrity, or availability of a covered entity’s information system, a serious impact on the safety and resiliency of operational systems, disruption of business or industrial operations, or unauthorized access by a nation-state actor or their proxies.

Ransomware payment reporting. If a covered entity makes a ransom payment in connection with a ransomware attack, that payment must be reported to CISA within 24 hours of the payment being made. This obligation applies whether or not the ransomware attack itself meets the threshold for a significant incident report.

Both obligations include a supplemental report requirement: covered entities must submit an updated report within 72 hours of gaining new information that materially changes the initial report.

CISA has subpoena authority to compel reporting from entities that do not voluntarily comply. The agency can also refer non-compliant entities to the Department of Justice for enforcement action. These are not reporting guidelines with soft consequences.

Which Organizations CIRCIA Covers

CIRCIA applies to entities in 16 critical infrastructure sectors as defined by Presidential Policy Directive 21. The sectors include:

  • Chemical
  • Commercial facilities
  • Communications
  • Critical manufacturing
  • Dams
  • Defense industrial base
  • Emergency services
  • Energy
  • Financial services
  • Food and agriculture
  • Government facilities
  • Healthcare and public health
  • Information technology
  • Nuclear reactors, materials, and waste
  • Transportation systems
  • Water and wastewater systems

The final rules establish size thresholds and sector-specific definitions that determine which entities within each sector are covered. Not every business that touches a covered sector falls under CIRCIA. But the scope is broad enough that many mid-market organizations in these industries will be covered entities under the final rules, and organizations that assumed CIRCIA applies only to large enterprises should verify that assumption against the final regulatory text.

Sector-specific coverage details:

  • Healthcare and public health: Hospitals, health systems, and large healthcare organizations are clearly covered. The interaction with existing HIPAA breach notification requirements creates a dual-reporting environment. Cyber Insurance for Hospitals and Health Systems
  • Energy and utilities: Electric utilities, oil and gas operators, and water systems operating critical infrastructure. NERC CIP obligations layer on top of CIRCIA for bulk electric system operators. Cyber Insurance for Energy and Utilities
  • Financial services: Banks, credit unions, broker-dealers, and other financial institutions already subject to sector-specific reporting requirements. CIRCIA adds a federal layer on top of existing OCC, FDIC, and state regulator notification obligations. Cyber Insurance for Financial Institutions
  • Defense industrial base: Defense contractors and subcontractors handling CUI, many of whom already operate under DFARS 72-hour reporting requirements. CIRCIA creates a parallel CISA reporting obligation. Cyber Insurance for Defense Subcontractors
  • Government facilities: Federal contractors and state and local government entities operating systems that support government functions. Cyber Insurance for Government Contractors
  • Life sciences and critical manufacturing: Pharmaceutical manufacturers, medical device companies, and industrial manufacturers operating critical production systems. Cyber Insurance for Life Sciences Companies

Why CIRCIA Changes the Cyber Insurance Conversation

The 72-hour reporting timeline is the number that reshapes how cyber insurance needs to work for covered entities. Here is what that timeline means in practice.

Incident Response Must Begin Immediately

A covered entity that discovers a potential significant incident on a Monday morning cannot spend several days assessing whether the incident meets the reporting threshold before engaging forensic and legal resources. By the time a thorough internal assessment is complete, the reporting deadline may already have passed.

This means forensic investigation, legal counsel engagement, and policy notification must begin as quickly as possible after discovery. Covered entities need to know before an incident occurs which IR firm their carrier uses, what the engagement process looks like, and how quickly resources can be on-site or remote.

Cyber insurance policies that include panel IR firms with rapid deployment commitments are meaningfully more useful for CIRCIA-covered entities than policies that leave IR vendor selection to the policyholder during an active incident.

How carrier incident response panels work: How Cyber Insurance Incident Response Works: Panels, Timelines, and How Carriers Compare

The 24-Hour Ransomware Payment Reporting Window Is Extremely Tight

The ransomware payment reporting obligation is the tightest timeline in CIRCIA. Twenty-four hours from the moment of payment leaves almost no margin for internal deliberation, legal review, or policy coordination.

For covered entities, this creates a pre-incident planning requirement. The decision-making process around whether to pay a ransom, how that payment interacts with OFAC obligations, and what the reporting process looks like needs to be worked out before an incident, not during one. Legal counsel familiar with both CIRCIA obligations and ransom payment law should be pre-identified and on retainer or on the carrier’s panel.

Cyber policies that include coverage for ransom payments should be reviewed to confirm that the claims process can accommodate a 24-hour notification requirement. Coverage that requires extensive prior approval from the carrier before a ransom payment can be made may create friction that is difficult to resolve within the available window.

How ransomware coverage works and what policies actually pay: Ransomware Coverage, Sublimits, and What Your Policy Actually Pays

Regulatory Defense Coverage Needs to Be Explicit

CIRCIA creates a new category of federal regulatory exposure for covered entities. An organization that fails to report within the required timeline faces potential subpoena, referral to DOJ, and the possibility of enforcement action. Responding to that enforcement, even in cases where the organization ultimately complies, generates legal costs.

Standard cyber policy language covers regulatory defense in connection with data breach notification laws. Whether that language extends to CIRCIA enforcement is not always clear, and the regulatory defense provisions of many policies were written before CIRCIA’s rulemaking was finalized. Covered entities should ask specifically whether their policy covers legal costs and regulatory defense in connection with CIRCIA reporting obligations and CISA enforcement.

What cyber policies cover for regulatory fines and defense: Cyber Insurance and Regulatory Fines: GDPR, CCPA, HIPAA, and What Your Policy Actually Pays

Notification Costs May Compound Across Multiple Regulators

For covered entities in heavily regulated sectors, CIRCIA creates a multi-regulator notification environment. A healthcare organization that experiences a significant ransomware attack faces CIRCIA reporting to CISA within 72 hours, HIPAA breach notification to HHS within 60 days (and to affected individuals within the same window), and potentially state breach notification requirements running on different timelines.

A financial institution faces CIRCIA reporting, potential OCC or FDIC notification requirements, SEC disclosure obligations if material, and state regulator requirements. Managing multiple concurrent reporting obligations while simultaneously running incident response is operationally complex and expensive.

Cyber policies that fund dedicated breach counsel, notification management, and regulatory coordination across multiple simultaneous obligations are structured for this environment. Policies with low notification cost sublimits or that limit regulatory defense to a single regulator may not be.

How to Prepare Your Coverage for CIRCIA

Covered entities should review their cyber insurance program with the following questions in mind.

Does your policy fund immediate IR deployment? CIRCIA’s timeline requires forensic resources to be engaged within hours of discovery, not days. Confirm that your policy’s incident response provision does not require prior approval processes that would delay engagement.

Is your IR panel pre-vetted and accessible? Know the name of your carrier’s preferred IR firm, how to reach them outside business hours, and what the initial engagement process looks like. This is not something to figure out during an active incident.

Does your regulatory defense coverage explicitly extend to CIRCIA? Ask your broker to confirm in writing whether CIRCIA enforcement defense is covered under your current policy language. If the policy was written before CIRCIA’s final rules, the answer may require a coverage endorsement.

What is your ransom payment approval process? If your policy covers ransom payments, understand exactly what carrier approval is required before a payment can be made and whether that process is compatible with a 24-hour reporting obligation. If the approval process takes longer than the reporting window, you need to know that before an incident.

Does your incident response plan reflect CIRCIA timelines? An IR plan written for HIPAA’s 60-day window or a generic 72-hour notification framework is not the same as a plan that accounts for CIRCIA’s specific reporting structure, the supplemental reporting requirement, and the parallel obligations your sector imposes.

What is your notification cost sublimit? If your policy has a sublimit on breach notification costs, confirm it is adequate to cover multi-regulator notification, legal coordination across simultaneous reporting obligations, and the potential for extended regulatory engagement.

The baseline controls and documentation underwriters require: Cyber Insurance Requirements: What Underwriters Actually Check

What CIRCIA Means at Renewal

CIRCIA compliance posture is beginning to appear in underwriting conversations for covered entities, particularly in healthcare, energy, financial services, and the defense industrial base. Carriers view CIRCIA-covered entities as operating under a higher regulatory standard, which cuts both ways.

Organizations that have prepared for CIRCIA, with documented IR plans that reflect the reporting timelines, pre-engaged legal counsel familiar with federal reporting obligations, and tested notification processes, demonstrate operational maturity that underwriters find meaningful. These organizations move through underwriting more smoothly and encounter fewer coverage restrictions.

Organizations that are covered by CIRCIA but have not addressed the reporting obligations in their IR planning or coverage structure present a different risk profile. The potential for regulatory enforcement costs, multi-regulator notification obligations, and the operational complexity of compressed reporting timelines are all factors that can affect coverage terms.

If your organization operates in a CIRCIA-covered sector and you have not yet reviewed your cyber coverage with the reporting obligations in mind, contact SeedPod Cyber. As a broker with access to multiple cyber markets, we can help you identify whether your current coverage supports CIRCIA compliance and where gaps may need to be addressed.

Frequently Asked Questions

When do CIRCIA reporting requirements take effect?

CIRCIA was signed into law in March 2022, and CISA has been developing the implementing rules since then. The rulemaking process has extended into 2025 and 2026. The final rules establish the specific effective dates and compliance deadlines for covered entities. Organizations in covered sectors should monitor CISA’s rulemaking updates and confirm their compliance obligations under the final regulatory text rather than relying on earlier draft timelines.

Does CIRCIA apply to small businesses?

CIRCIA’s final rules include size thresholds that exempt some smaller entities. However, the exemptions vary by sector, and the definition of “small” under CIRCIA may differ from SBA size standards. Organizations in covered sectors should not assume they are exempt based on size without verifying against the final rules.

Does reporting under CIRCIA trigger coverage under my cyber policy?

The act of reporting itself does not trigger coverage. Coverage is triggered by the underlying incident. CIRCIA reporting is an obligation that arises from the incident, and the costs of managing that obligation, including legal counsel for the reporting process and regulatory defense if enforcement follows, should be covered under your policy’s regulatory defense and breach response provisions. Whether your current policy language extends to CIRCIA specifically should be confirmed with your broker.

If I report a ransomware payment to CISA, does that affect my ability to make future ransom payments?

CIRCIA reporting does not by itself prohibit future ransom payments. However, ransom payments remain subject to OFAC regulations, and payments to sanctioned entities are prohibited regardless of CIRCIA. The reporting obligation and the payment legality question are separate issues that both need legal counsel engaged before a payment is made.

How does CIRCIA interact with state breach notification laws?

CIRCIA does not preempt state breach notification laws. Covered entities remain subject to state notification requirements in addition to CIRCIA reporting. The timelines, thresholds, and notification content requirements vary significantly by state, and a significant incident affecting residents of multiple states may trigger several concurrent notification obligations running on different schedules.

CIRCIA creates federal reporting obligations that compress the timeline for incident response and regulatory coordination. If you operate in a covered sector and want to confirm your coverage is structured to support those obligations, contact SeedPod Cyber.

Coverage & Policy Education