Cybersecurity Incident Reporting Requirements in the US

Federal and state incident reporting obligations have expanded significantly since the passage of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), creating a layered compliance environment that affects organizations across 16 critical infrastructure sectors. This page covers the regulatory framework governing who must report cybersecurity incidents, to which agencies, within what timeframes, and under what threshold conditions. Understanding this landscape is essential for compliance officers, legal counsel, IT security leaders, and the cyber safety providers professionals who serve them.

Definition and scope

A cybersecurity incident, for reporting purposes, is a discrete event or series of events that compromises the confidentiality, integrity, or availability of information systems or the data they process. The National Institute of Standards and Technology (NIST) defines a cybersecurity incident as actions taken through the use of computer networks that result in an actual or potentially adverse effect on an information system or the information residing therein.

Reporting requirements are not uniform. Obligations vary by:

  1. Sector — whether the organization operates in healthcare, financial services, energy, transportation, defense, or another designated critical infrastructure sector
  2. Incident type — ransomware, data breach, unauthorized access, denial-of-service, supply chain compromise
  3. Affected population or data volume — thresholds that trigger mandatory notification (e.g., number of records affected, percentage of network capacity disrupted)
  4. Entity classification — federal agency, federal contractor, publicly traded company, covered entity under HIPAA, or financial institution under GLBA

The scope of CIRCIA extends to "covered entities" within critical infrastructure as designated by the Cybersecurity and Infrastructure Security Agency (CISA), though final implementing regulations were still under rulemaking as of the most recent CISA notice-and-comment period.

How it works

Incident reporting in the US operates through parallel, sometimes overlapping, regulatory channels. No single agency consolidates all reporting obligations. The primary reporting pathways are:

  1. CISA — Under CIRCIA (6 U.S.C. § 681b), covered entities must report covered cyber incidents within 72 hours of reasonably believing an incident has occurred, and ransomware payments within 24 hours of payment.
  2. Department of Health and Human Services (HHS) / Office for Civil Rights — Covered entities and business associates under HIPAA (45 CFR §§ 164.400–414) must report breaches affecting 500 or more individuals to HHS within 60 calendar days of discovery. Smaller breaches are logged and reported annually.
  3. Securities and Exchange Commission (SEC) — Under the SEC's cybersecurity disclosure rules adopted in 2023, publicly traded companies must disclose material cybersecurity incidents on Form 8-K as processing allows of determining materiality.
  4. Financial Industry Regulatory Authority (FINRA) and banking regulators — Broker-dealers and banking institutions operate under separate notification standards, including the FFIEC Cybersecurity Incident Response guidance and the 36-hour notification requirement for banking organizations under the OCC, Federal Reserve, and FDIC joint final rule effective May 2022.
  5. State attorneys general and data protection agencies — All 50 states maintain independent breach notification statutes, with notification windows ranging from 30 to 90 days depending on jurisdiction.

Common scenarios

The most frequently encountered incident reporting situations fall into distinct categories, each triggering different regulatory pathways.

Ransomware with payment — An organization pays a ransom demand. CIRCIA requires a 24-hour ransom payment report to CISA, separate from the 72-hour covered cyber incident report. The CISA ransomware reporting portal accepts both filings. If patient health data was encrypted, the HIPAA breach notification clock also starts on the date of discovery.

Data breach involving personal information — A database of 80,000 consumer records is exfiltrated. This triggers state breach notification laws for every state where affected residents reside, HIPAA reporting if the records include protected health information, and potentially SEC Form 8-K disclosure if the reporting entity is a public company that determines the incident is material.

Unauthorized access to federal systems — A federal contractor experiences an intrusion into systems holding Controlled Unclassified Information (CUI). Reporting obligations flow through NIST SP 800-171 and the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, which requires rapid reporting to the Department of Defense (DoD) Cyber Crime Center (DC3) within 72 hours.

Denial-of-service disrupting critical operations — A utility or hospital experiences a sustained distributed denial-of-service attack affecting operational continuity. This falls within CISA's covered incident definition and may also implicate sector-specific regulators such as the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards for the energy sector.

Decision boundaries

Determining whether and where to report requires resolving four threshold questions:

  1. Is the organization a covered entity? CIRCIA's definition of covered entity under 6 U.S.C. § 681 is broad, but the implementing rule published by CISA will set precise scope. Organizations in the 16 sectors designated by Presidential Policy Directive 21 (PPD-21) should assume coverage.
  2. Does the incident meet the "covered cyber incident" threshold? CISA defines this as an incident that leads to substantial loss of confidentiality, integrity, or availability; a serious impact on safety and resiliency of operational systems; or disruption of business or industrial operations. Minor security events that do not meet this threshold do not trigger CIRCIA reporting.
  3. Is there a concurrent HIPAA, SEC, or sector-specific obligation? An incident that triggers CIRCIA reporting may simultaneously trigger HIPAA, SEC, DFARS, or state-law obligations. These run in parallel, not sequentially.
  4. Has personal data been "breached" under state definitions? State statutes vary in their definition of a breach. California's CCPA/CPRA and California Civil Code § 1798.82 set notification obligations that differ from, for example, New York's SHIELD Act in scope and timing.

The for this reference network reflects the complexity of navigating these overlapping frameworks. Professionals seeking sector-specific guidance on reporting compliance should review how the how-to-use-this-cyber-safety-resource page organizes service categories and regulatory domains across this provider network.

References

 ·   · 

Read Next

Cyber Safety Listings ANA › Professional Services Authority › National Cyber › National Cyber Safety Cyber Safety Providers The providers contained within... Cyber Safety Directory: Purpose and Scope ANA › Professional Services Authority › National Cyber › National Cyber Safety Cyber Safety Network: Purpose and Scope The National... Critical Infrastructure Cybersecurity Protection Standards ANA › Professional Services Authority › National Cyber › National Cyber Safety Critical Infrastructure Cybersecurity Protection...