As a business owner, you juggle a dozen things at once. But there's a new federal rule called the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) that you can't afford to ignore. It might sound like another piece of boring regulation, but it has real teeth and could impact your business sooner than you think.
The Cyber Incident Reporting for Critical Infrastructure Act of 2022 was signed into law by President Biden in March 2022. You can read the official law text at Congress.gov. The reporting requirements are expected to take effect in 2026 once the final rules are published. For more information, visit the official CISA CIRCIA page.
In simple terms, if your business is considered part of the nation's critical infrastructure and you suffer a serious cyber incident, you now have a legal duty to report it to the federal government within 72 hours. And if you pay a ransom, you have just 24 hours to report it. This isn't a suggestion; it's the law.
You might be thinking, "My business isn't critical infrastructure." But the definition is broader than you might expect. If your business operates in or even just relies on any of the following sectors, you could be on the hook:
Healthcare: Clinics, medical data processors, and suppliers.
Financial Services: Companies involved in payments, payroll, or financial data.
Manufacturing & Logistics: Factories, supply chain partners, and transportation companies.
Utilities & Energy: Power, water, and other essential services.
Technology: Cloud providers, software-as-a-service (SaaS) companies, and Managed Service Providers (MSPs).
Government Contractors: Any business that provides services to federal, state, or local government.
Even if your business is small, you can be affected if you're a vendor to a larger company in one of these sectors. Their problem quickly becomes your problem.
We're not talking about a computer running slow. These are real-world scenarios that could easily trigger the 72-hour clock:
Ransomware: An attack that locks up your files and demands payment.
Cloud Outage: Your cloud provider goes down, and your customers can't access your services.
Vendor Breach: One of your software vendors gets hacked, and your customer data is exposed.
Email Fraud: An employee is tricked into wiring money to a scammer.
Data Theft: A hacker steals your data, even if they don't lock you out.
If an incident materially impacts your operations, data, or safety, it's likely reportable.
Many business owners believe their cyber insurance policy is a silver bullet. It's not. When it comes to CIRCIA, your policy might have some serious gaps:
Reporting Costs: Your policy might not cover the costs of investigating and reporting the incident to the government.
Insurer Approval: Some policies require you to get the insurer's permission before you report an incident, but the government's 72-hour clock doesn't wait for your insurer to call you back.
Business Interruption: Your coverage for lost income might not kick in for days, leaving you to foot the bill in the meantime.
Vendor Exclusions: Your policy might not cover incidents that originate from your vendors or suppliers.
If your insurance policy slows you down, you're the one who bears the legal risk, not the insurance company.
This isn't just an IT problem; it's a business problem. Here are a few practical steps you can take to prepare:
Know Your Risk: Talk to your IT provider or a trusted advisor to understand if your business is likely to be covered under CIRCIA.
Review Your Insurance: Ask your insurance broker pointed questions. Does your policy cover regulatory reporting? Are there waiting periods for coverage to start? What happens if a vendor is the source of the breach?
Make a Plan: Don't wait for an incident to happen. Decide now who has the authority to report an incident to the government. Make sure you have legal counsel you can call on a moment's notice.
Check Your Contracts: Review your contracts with your key vendors. Are they required to notify you immediately if they have a security incident? Their delay is your liability.
CIRCIA has shortened the timeline for responding to a cyberattack. Being prepared is no longer optional. The good news is that taking these steps now will cost you far less than cleaning up after a single bad incident.
Learn More: For additional resources and to understand if your business might be affected, visit CISA's CIRCIA information page or the official law on Congress.gov.