Cyber Incident Reporting Requirements in the US

Cyber incident reporting requirements in the United States span a complex patchwork of federal statutes, sector-specific regulations, and state-level mandates that collectively define when, how, and to whom organizations must disclose cybersecurity events. These obligations carry enforceable deadlines, vary significantly by industry and incident type, and are administered by distinct regulatory bodies with overlapping jurisdiction. Navigating this landscape requires precise understanding of which reporting regimes apply, what thresholds trigger disclosure, and how timelines differ across frameworks.

Definition and scope

A cyber incident reporting requirement is a legally or regulatorily imposed obligation for an organization to notify a designated authority — or affected parties — when a qualifying cybersecurity event occurs. The scope of "qualifying event" differs across frameworks but generally encompasses unauthorized access, data exfiltration, ransomware deployment, denial-of-service attacks affecting critical systems, and integrity compromises of federal information systems.

The broadest new federal mandate is the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which directs the Cybersecurity and Infrastructure Security Agency (CISA) to develop rules requiring covered entities to report significant incidents within 72 hours and ransomware payments within 24 hours. CISA's implementing rulemaking, still in progress as of the proposed rule published in April 2024, will govern 16 critical infrastructure sectors as defined in Presidential Policy Directive 21. Separate from CIRCIA, the Federal Information Security Modernization Act (FISMA) requires federal agencies to report incidents to the US-CERT within 1 hour for the most severe categories (CAT 0 and CAT 1) under OMB Memorandum M-20-04.

Reporting obligations extend beyond the federal government. The sector-specific cybersecurity regulations that govern healthcare, finance, energy, and defense each impose their own disclosure standards, often with different timeline windows and recipient agencies.

How it works

Cyber incident reporting operates through a structured sequence of identification, classification, notification, and documentation:

1. Detection and classification — The affected organization identifies a cybersecurity event and determines whether it meets the applicable threshold (e.g., a "significant" incident under CIRCIA, a "breach" under HIPAA, or a "security incident" under FISMA).
2. Initial notification — Within the prescribed window, the entity transmits a report to the designated authority. Under CIRCIA rules, this goes to CISA. Under HIPAA, covered entities notify the Department of Health and Human Services (HHS); breaches affecting 500 or more individuals require notification within 60 days of discovery (45 CFR §164.408).
3. Supplemental reporting — Many frameworks require a follow-up report with additional technical detail once the full scope of the incident is understood. CIRCIA's proposed rule includes a supplemental report requirement.
4. Coordination and information sharing — Agencies may share incident data across the federal enterprise or with sector-specific Information Sharing and Analysis Centers (ISACs) under authorities established by the Cybersecurity Information Sharing Act of 2015 (CISA 2015). This intersects directly with cybersecurity information sharing structures already in operation.
5. Documentation and remediation evidence — Regulatory authorities typically require retained records of incident timelines, remediation actions, and affected system inventories.

The Security and Exchange Commission's (SEC) Rule on Cybersecurity Risk Management, adopted in July 2023, requires public companies to disclose material cybersecurity incidents on Form 8-K within 4 business days of determining materiality (17 CFR §229.106).

Common scenarios

Reporting obligations are triggered across a broad range of incident types. The most operationally significant scenarios include:

• Ransomware against a hospital network — HIPAA's Breach Notification Rule applies if patient data is encrypted or exfiltrated. HHS Office for Civil Rights (OCR) is the receiving authority. If the hospital qualifies as critical infrastructure under the Healthcare and Public Health sector, CIRCIA reporting to CISA will also apply once final rules are in effect.
• Data breach at a financial institution — The Gramm-Leach-Bliley Act's Safeguards Rule (enforced by the FTC) and the federal banking regulators' Computer-Security Incident Notification Rule (12 CFR Part 53) require notification to primary federal banking regulators within 36 hours for incidents that materially disrupt banking operations.
• Federal contractor system compromise — DFARS clause 252.204-7012 requires defense contractors to report cyber incidents to the Department of Defense within 72 hours. This intersects with DoD cybersecurity requirements and the Cybersecurity Maturity Model Certification program's compliance expectations.
• State agency breach — Separate from federal mandates, state laws govern notification to residents. As of 2024, all 50 US states have enacted data breach notification laws, though timelines and thresholds differ considerably. State cybersecurity laws and the data breach notification laws framework detail these variances.

Decision boundaries

Determining which reporting regime applies — and whether multiple regimes apply simultaneously — depends on four primary variables:

1. Sector classification — Healthcare, finance, energy, and defense each carry distinct primary reporting obligations. An organization in the energy sector may face both NERC CIP incident reporting requirements and CIRCIA obligations.
2. Entity type — Federal agencies follow FISMA and OMB guidance; private companies follow sector rules; public companies follow SEC disclosure requirements; defense contractors follow DFARS.
3. Incident severity threshold — Not all events trigger reporting. CIRCIA applies to "covered cyber incidents," a term defined in the proposed rule with materiality-like qualifiers. HIPAA applies only when unsecured protected health information is involved.
4. Affected party count and data type — State breach notification laws frequently set thresholds at a specific number of affected residents (e.g., California's breach notification law under Civil Code §1798.82 is triggered by a single resident's compromised data in qualifying categories).

Overlapping obligations are common. A publicly traded hospital experiencing a ransomware attack faces potential reporting duties to HHS OCR, CISA (under CIRCIA), the SEC, and the state attorney general simultaneously. The US cybersecurity regulatory framework provides broader structural context for how these bodies interrelate.

References

• Cybersecurity and Infrastructure Security Agency — CIRCIA
• CISA — Proposed CIRCIA Rulemaking (April 2024)
• HHS Office for Civil Rights — HIPAA Breach Notification Rule (45 CFR Part 164)
• eCFR — 45 CFR §164.408 (Notification to the Secretary)
• eCFR — 12 CFR Part 53 (Computer-Security Incident Notification)
• eCFR — 17 CFR §229.106 (SEC Cybersecurity Disclosure)
• OMB Memorandum M-20-04 (Federal Incident Reporting)
• CISA — Cybersecurity Information Sharing Act of 2015
• NIST SP 800-61 Rev. 2 — Computer Security Incident Handling Guide
• FTC Safeguards Rule
• California Civil Code §1798.82 (Data Breach Notification)