April 22, 2024


Just like the cyber risk landscape is ever evolving, so is the response to the impacts on the critical infrastructure. Most recently, the Cybersecurity and Infrastructure Security Agency (CISA) announced the opening of public commentary to the draft of the incident response reporting regulations for the critical infrastructure.


The release of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) for public commentary is a momentous milestone for cybersecurity, as these are the first proposed measures requiring critical infrastructure organizations to report ransomware payments and cyber events. The commentary period will remain open until June 3, 2024. Although the regulations are not slated to be put into effect until October 2025, CISA suggests that organizations can already start reporting events to prevent other organizations from becoming victims of the same cyberattacks. According to CISA, the intent of the proposed rule is to provide the federal agencies with more complete insights into breaches that affect public sectors. As CISA Director Jen Easterly states, “It will allow us to better understand the threats we face, spot adversary campaigns earlier, and take more coordinated action with our public and private sector partners in response to cyber threats.”


As the document stands right now, several operational procedures would have to be implemented prior to the execution of the regulation. During the open commentary period, CISA and other agencies will be listening to stakeholders regarding the proposed rules. Throughout this period, CISA intends to utilize the collection of comments regarding the measure as substantial data to deliver strategies to improve resilience and incident response and mitigation over time. The predominant measures under review indicate that companies impacted by a cyber event must report the incident within 72 hours (about 3 days) of identification of the event and within 24 hours of processing a ransom payment.


Who Is Impacted

This new federal regulation impacts several industries, verticals and domains. As CISA explains, there are currently 16 critical infrastructure domains, along with the private businesses, that are a part of the supply chain of these entities that are vital to operations within the United States, such as:


  • Chemical
  • Commercial facilities
  • Communications
  • Critical manufacturing
  • Dams
  • Defense industrial base
  • Emergency services
  • Energy
  • Financial services
  • Food and agriculture
  • Government facilities
  • Public health
  • Information technology
  • Nuclear reactors, materials and wastewater
  • Transportation systems
  • Water and wastewater systems


The implementation of the proposed CIRCIA rule will provide information sharing between the public and private sectors, create reporting councils to continue to enhance communication between the sectors and authorize additional initiatives and guidelines.


Identification and Reporting Guidelines

A few of the initiatives include the specific details of identifying a cyber incident. According to CISA, a cyber incident can be identified by the following criteria: a DDoS attack, a ransomware attack; data exfiltration; a loss of confidentiality, integrity or availability of data from the information system or operational technology stack; unauthorized access to or by a third-party service provider via methods such as a supply-chain compromise; or a disruption of a business operation impacting engagement with customers.


The CIRCIA draft document includes the following reporting guidelines indicating what must be accompanied with the report of the ransom payment or the disclosure of the cyber event:

  • Incident date and time
  • Incident location
  • Type of observed activity
  • Detailed narrative of the event
  • Number of people or systems affected
  • Company/organization name
  • Point of contact details
  • Severity of event
  • Critical infrastructure sector (if known)
  • Anyone else you informed


Organizations can share information about unusual cyber activity and/or cyber incidents via www.cisa.gov/report. Alternatively, organizations may send an email to report@cisa.gov or call (888) 282-0870. Once the regulation goes into effect, this will no longer be a suggestion and will become a mandatory requirement.


Currently, the U.S. Securities and Exchange Commission (SEC) has established cybersecurity reporting rules that are less restrictive in nature—focusing on public traded companies, rather than the public and private entities of the critical infrastructure. Also noteworthy is that CISA projects that the proposed CIRCIA rule has been projected to cost industry domains and government combined around $2.6 billion from 2023 until 2033. CISA anticipates receiving around 25,000 reports each year, which means additional resources will be needed on the government level. The costs will not only affect critical infrastructure entities, but will also have a lasting impact on the cyber insurance industry.


Cyber Insurance Implications

Cyber insurance is intended to be a risk management program component to transfer cyber risks and costs related to cyber events for public and private entities, including critical infrastructure organizations. According to John Farley, Managing Director at Gallagher, the cyber insurance marketplace continues to address the potential effects of a catastrophic systemic loss by implementing policy changes, such as instituting exclusions and sub-limits to policies relating to critical infrastructure organizations. Based on the CIRCIA structure of the potentially new regulatory reporting demands, it is expected that there will be additional attention paid to cyber insurance language and policies over the next 18 months (about 1.5 years).



This is the beginning stages of CIRCIA rulemaking process. Optiv will continue to address changes and modifications through the duration of this process and the impacts on critical infrastructure entities, the cybersecurity domain and cyber insurance markets. If you have any questions regarding CIRCIA or cyber readiness and resilience, contact Optiv today.



Understanding the Cyber Incident Reporting for Critical Infrastructure Act | Gallagher USA (ajg.com)

Mission Critical: CIRCIA’s Regulations and the Race to Secure Critical Infrastructure | Connect on Tech

Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA)

ICISA Cyber Event Information Fact Sheet

CIRCIA: Notice of Proposed Rulemaking: In Brief

Dara Gibson
Senior Manager, Cyber Insurability Services | Optiv
Dara Gibson has developed and managed cybersecurity services for 5 years. By blending cutting-edge technologies, unique skill sets, and proven cyber strategies, she can create lasting partnerships with clients to protect shareholder value and corporate reputations. As a nationally recognized information security leader, Mrs. Gibson is responsible for designing cybersecurity awareness programs to foster expertise in relationship management with industry leading cyber insurance and legal providers for proactive and reactive cybersecurity capabilities.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.