Skip to content
RiskTemplates · The Daily Brief Thursday, July 9, 2026
Wire CFPB's New Enforcement Principles: What the Bilt Case Tells You About How the Bureau Intends to Police Consumer Finance JUN 22

Feature Incident Response

CIRCIA Final Rule: What Financial Institutions Need to Know About the New 72-Hour Mandatory Cyber Incident Reporting

CISA's CIRCIA final rule arrived in May 2026. Financial institutions in critical infrastructure sectors now face a 72-hour mandatory incident reporting requirement to CISA — layered on top of FFIEC 36-hour, SEC 4-day, and NYDFS Part 500 obligations. Here's what each one actually covers and how to build a coordinated response.

By Rebecca Leung · June 4, 2026 ·
Table of Contents

TL;DR:

  • CISA’s CIRCIA final rule landed in May 2026, requiring covered critical infrastructure entities — including financial services firms — to report substantial cyber incidents to CISA within 72 hours and ransom payments within 24 hours.
  • The 72-hour clock starts when you “reasonably believe” a covered incident occurred, not when your investigation confirms it — which is harder to operationalize than it sounds.
  • CIRCIA doesn’t replace any existing reporting requirement. If the same incident triggers FFIEC 36-hour, SEC 4-day, and CIRCIA, you’re filing three separate reports to three different recipients.
  • The compliance effective date is expected 12–18 months after the May 2026 final rule publication — approximately late 2027 or early 2028 — which means your preparation window is now, not then.

One More Clock to Watch

If you run incident response for a financial institution, you already have a reporting timeline problem. A significant cybersecurity incident means you’re managing:

  • FFIEC 36-hour rule: Notify your primary federal banking regulator within 36 hours if the incident materially disrupts or degrades banking operations.
  • SEC 4-day rule: Public companies must file an 8-K disclosing a material cybersecurity incident within four business days of determining it’s material.
  • NYDFS Part 500: Covered entities must notify NYDFS of a cybersecurity event within 72 hours — and NYDFS has been aggressive about enforcement, issuing $25M+ in fines across 9+ actions from 2025 through 2026.
  • State breach notification laws: Notification to affected consumers and state attorneys general, with 30-90 day windows depending on jurisdiction.

And now, effective approximately late 2027 or early 2028: CIRCIA, requiring notification to CISA within 72 hours.

Each of these requirements has different trigger criteria, different recipients, different content requirements, and different clocks. Your incident response team will be managing all of them simultaneously during an active crisis. The organizations that do this well are the ones that built the matrix before the incident, not during it.

What CIRCIA Is and Where We Are

The Cyber Incident Reporting for Critical Infrastructure Act was signed by President Biden in March 2022. It directed CISA to develop mandatory incident reporting rules for entities across the 16 federally designated critical infrastructure sectors. The statute required CISA to issue a notice of proposed rulemaking within 24 months (met: the NPRM published April 4, 2024) and final rules 18 months after that (statutory deadline: October 4, 2025).

CISA missed the statutory deadline. Budget constraints, a partial government shutdown affecting DHS, and significant complexity in harmonizing CIRCIA with existing sector-specific reporting requirements pushed the final rule to May 2026. The final rule confirms the core timelines from the proposed rule: 72 hours for covered cyber incidents, 24 hours for ransom payments.

The compliance effective date — when covered entities are actually required to file — is expected 12 to 18 months after the May 2026 final rule publication. That puts actual compliance obligations at approximately late 2027 or early 2028. But designing and testing your reporting process takes months, and incident response procedures don’t get rebuilt overnight.

Who’s Covered

CIRCIA applies to “covered entities” across 16 critical infrastructure sectors, including:

  • Financial services
  • Healthcare and public health
  • Energy
  • Information technology
  • Transportation
  • Communications
  • Critical manufacturing

Small business exemption: Entities meeting the Small Business Administration size thresholds for their sector are generally exempt. For most financial services firms, that means larger community banks, regional banks, national banks, broker-dealers, and fintechs with significant transaction volumes are in scope. A 10-person fintech with minimal assets and transaction volume may qualify for the small business exemption — but verify against the SBA size standards for your NAICS code before assuming you’re out.

For financial institutions that are already subject to the FFIEC 36-hour rule, SEC disclosure requirements, or NYDFS Part 500, CIRCIA adds a fourth notification leg, not a replacement.

What Must Be Reported: The “Covered Cyber Incident” Definition

This is where CIRCIA gets operationally complex. A “covered cyber incident” is a substantial cyber incident involving one or more of the following:

  1. Substantial loss of confidentiality, integrity, or availability of an information system or network
  2. Serious impact on the safety and resilience of operational systems and processes
  3. Disruption of business operations or service delivery capabilities
  4. Unauthorized access to information systems facilitated by a third party (supply chain compromise)

“Substantial” does significant interpretive work. CISA’s guidance is clear that minor outages, routine malware detections, and unsuccessful intrusion attempts don’t trigger CIRCIA. But the boundary between “significant disruption” and “minor degradation” is going to generate enforcement questions.

The supply chain compromise criterion is worth highlighting for financial services teams: if a critical third-party vendor — a payment processor, a core banking platform, a cloud provider — suffers a breach that results in unauthorized access to your systems, that may trigger CIRCIA reporting even if your own systems weren’t directly compromised. This is the Change Healthcare scenario. A supply chain event at a vendor becomes your CIRCIA reporting obligation.

The 72-Hour Clock: What Starts It and What to File

When the Clock Starts

The 72-hour clock starts when you reasonably believe a covered cyber incident has occurred — not when your investigation confirms it. This is important. You don’t need forensic certainty. You don’t need to know the full scope of the incident. If the available information leads a reasonable person to believe a covered incident may have occurred, the clock has started.

This is a deliberately lower standard than “confirmed.” The point is to get early situational awareness to CISA, even with incomplete information. Your initial CIRCIA report will be based on what you know at the time — you can file supplemental reports as the investigation develops.

The practical implication: your incident triage process needs to include a CIRCIA evaluation within the first few hours of an incident being identified, not at the 48-hour mark when your forensics team has a preliminary report.

What the Report Must Include

The initial CIRCIA report to CISA must include:

  • Description of the covered cyber incident, including the category
  • Date/time the incident began and was discovered
  • Estimated impact
  • Affected systems, networks, or data
  • Security measures in place at the time of the incident
  • Contact information for follow-up

Subsequent supplemental reports are required as significant new information becomes available, including when the investigation is concluded.

How to File

Reports go to CISA, not to your primary financial regulator. CISA is building a centralized online reporting portal. Financial institutions that also trigger the FFIEC 36-hour rule will file two separate reports to two separate recipients — one to their primary banking regulator (OCC, Federal Reserve, or FDIC) and one to CISA.

Ransom Payment Reporting: The 24-Hour Requirement

CIRCIA imposes a separate 24-hour reporting window for ransom payments. Any covered entity that makes a payment to a threat actor in response to a ransomware attack must notify CISA within 24 hours of making the payment.

This applies regardless of whether the underlying ransomware incident meets the “covered cyber incident” threshold. If you pay, you report — even if the encryption was limited enough that the incident itself would not have required a CIRCIA report.

The 24-hour window is very short. For financial institutions running incident response with general counsel and executive leadership involved in the ransom payment decision, you need a pre-built notification workflow that can execute within hours of a payment decision, not days.

The Multi-Regulator Reporting Matrix

This is the table your IR team should have laminated (or at least bookmarked):

RequirementRecipientTriggerTimeframeKey Standard
CIRCIACISASubstantial cyber incident or ransom payment72 hrs (incident) / 24 hrs (ransom payment)“Reasonably believes” incident occurred
FFIEC 36-Hour RulePrimary banking regulator (OCC/Fed/FDIC)Computer-security incident that materially disrupts/degrades banking operations36 hours of determination”Determines” incident occurred
SEC 8-K (Rule 1.05)SEC (public companies)Material cybersecurity incident4 business days after determining material”Determines” materiality
NYDFS Part 500NYDFSCybersecurity event72 hours of determining a cybersecurity event occurred”Determines” event occurred
State breach lawsState AGs + consumersPersonal data breach30-90 days (varies by state)Notice of breach affecting residents

Key observations from this table:

  1. FFIEC 36-hour is faster than CIRCIA — if the same incident triggers both, you file with your banking regulator first, then with CISA.
  2. Different trigger standards — FFIEC and SEC require “determines”; CIRCIA requires “reasonably believes.” In practice, you may hit the CIRCIA trigger before you’ve made the formal determination that triggers FFIEC.
  3. Different recipients — these go to five different regulatory destinations. Your IR playbook needs to address all of them.
  4. NYDFS can run concurrently with CIRCIA — both have 72-hour windows from different trigger points. You may be filing two 72-hour reports on the same day.

Industry groups, including the Bank Policy Institute, have been vocal about the overlapping reporting burdens and have pushed CISA to harmonize CIRCIA with existing financial sector frameworks. CISA explicitly asked for input on harmonization in its 2026 town halls. Some coordination may occur before the effective date, but practitioners should plan for parallel reporting obligations until those harmonization efforts resolve.

How to Prepare Now

With the CIRCIA effective date approximately 18 months out, the preparation work is real. Here’s where to start:

1. Determine if you’re a covered entity

Map your organization to the CIRCIA critical infrastructure sectors. If you’re in financial services and exceed the SBA small business size standard, assume you’re in scope. Document your analysis.

2. Map current incident response procedures against CIRCIA

Review your IR playbook for existing incident classification criteria. Does your current “significant incident” definition align with CIRCIA’s “covered cyber incident” standard? Gap-test with a tabletop: would your team know within the first two hours whether CIRCIA reporting was likely triggered?

3. Build the coordinated notification checklist

Create a single reference document that maps every federal reporting obligation (CIRCIA, FFIEC 36-hour, SEC 4-day, NYDFS Part 500) to its trigger criteria, timing, recipient, required content, and responsible owner. Your IR team should be able to pull this up at 2am during an active incident and execute.

4. Assign the CISA reporting owner

Who in your organization files the CIRCIA report? It’s not the same person who calls your primary banking regulator. CISA is a separate recipient requiring a different notification with different content. Designate an owner, build the filing procedure, and test it.

5. Build a ransomware-specific protocol

The 24-hour ransom payment reporting window is the tightest clock in your entire reporting matrix. The decision to pay or not pay will involve legal, executive leadership, and external counsel. Your 24-hour notification protocol needs to be ready before you’re in the room making that decision.

6. Audit third-party incident notification clauses

CIRCIA’s supply chain compromise trigger means a vendor incident can create your CIRCIA reporting obligation. Review your critical vendor contracts: do they require the vendor to notify you within a timeframe that gives you enough lead time to meet your 72-hour CIRCIA clock?

7. Update your incident response plan

Add CIRCIA as a named regulatory obligation in your IR plan, alongside your existing FFIEC, SEC, NYDFS, and state breach law obligations. The Incident Response & Breach Notification Kit includes a multi-regulator notification checklist and pre-built playbook templates that you can update to incorporate CIRCIA as a named requirement. Get it at buy.stripe.com/8x26oA9Fh4ht7nDf1s6J207.

So What?

CIRCIA is not a replacement for any reporting requirement your financial institution already has. It’s an addition — a federal civilian cybersecurity intelligence collection mechanism with mandatory reporting tied to critical infrastructure. The 72-hour clock and the 24-hour ransom payment window are real obligations that will apply to most financial institutions with any significant scale.

The organizations that handle multi-regulator incident reporting well are the ones that don’t reconstruct the reporting matrix at 3am during an active breach. They have it pre-built, tested, and practiced. CIRCIA gives you approximately 18 months before the compliance effective date. That’s enough time to do this right — if you start now.


Sources: CISA CIRCIA FAQs | Davis Wright Tremaine: CISA Delays Cyber Incident Reporting Rules Until May 2026 | Fisher Phillips: New Federal Cybersecurity Reporting Rules FAQs | Alation: CIRCIA Compliance Guide 2026 | VaasBlock: CIRCIA Final Rule 2026 — 72-Hour Reporting for 300,000 Companies

◆ Immaterial Findings · Weekly

Sharp risk & compliance insights. No fluff.

◆ FAQ

Frequently asked questions.

What is CIRCIA and when does it take effect?
The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) was signed into law in March 2022. CISA published its final rule in May 2026. The compliance effective date is expected to be approximately 12–18 months after the final rule publication — likely late 2027 or early 2028. Covered entities should begin gap assessments and process design now rather than waiting for the exact effective date.
Does CIRCIA apply to banks and fintechs?
Yes. Financial services is one of 16 federally designated critical infrastructure sectors covered by CIRCIA. Covered entities include financial firms that exceed the Small Business Administration size standard for their sector. Most banks with significant assets, and most fintechs with meaningful transaction volumes, are likely in scope. Small businesses meeting SBA size thresholds are generally exempt.
What triggers the 72-hour reporting clock under CIRCIA?
The 72-hour clock starts when you 'reasonably believe' a covered cyber incident has occurred — not when your investigation confirms it. A covered cyber incident involves substantial loss of confidentiality, integrity, or availability of information systems; serious impact on operational systems; disruption of business operations or service delivery; or unauthorized access facilitated through a supply chain compromise. You do not need forensic certainty to trigger the obligation.
How does CIRCIA's 72-hour requirement interact with the FFIEC 36-hour rule?
They are separate reporting requirements going to different recipients. The FFIEC 36-hour rule requires banking organizations to notify their primary federal regulator (OCC, Federal Reserve, or FDIC) within 36 hours of determining that a 'computer-security incident' has materially disrupted or degraded banking operations. CIRCIA requires notification to CISA within 72 hours. If the same incident triggers both, you report to your banking regulator by hour 36 and to CISA by hour 72. Both clocks start from different trigger criteria, so review each independently.
What is the ransom payment reporting requirement?
Covered entities must report any ransom payment to CISA within 24 hours of making the payment. This applies regardless of whether the underlying ransomware attack meets the 'covered cyber incident' threshold — if you pay, you report. The 24-hour window is among the shortest in any federal cyber reporting framework.
What should financial institutions do now to prepare for CIRCIA?
Start with a gap assessment: map your current incident response procedures against the CIRCIA reporting requirements, identify who in your organization would own the CISA notification, and document your incident classification thresholds. Then build a coordinated notification checklist that maps each federal reporting requirement (CIRCIA, FFIEC 36-hour, SEC 4-day, NYDFS Part 500) to its trigger criteria, timeline, recipient, and required content — so your IR team isn't reconstructing the matrix during an active incident.
Rebecca Leung

Author

Rebecca Leung

Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.

◆ Related framework

Incident Response & Breach Notification Kit

Step-by-step incident response playbooks and breach notification templates for all 50 states.

Immaterial Findings · Newsletter

The brief, in your inbox.

Enforcement of the week, a framework breakdown, and the prompts that are actually worth running. Delivered to your inbox. Free.