Feature Incident Response
CIRCIA Final Rule: What Financial Institutions Need to Know About the New 72-Hour Mandatory Cyber Incident Reporting
CISA's CIRCIA final rule arrived in May 2026. Financial institutions in critical infrastructure sectors now face a 72-hour mandatory incident reporting requirement to CISA — layered on top of FFIEC 36-hour, SEC 4-day, and NYDFS Part 500 obligations. Here's what each one actually covers and how to build a coordinated response.
Table of Contents
TL;DR:
- CISA’s CIRCIA final rule landed in May 2026, requiring covered critical infrastructure entities — including financial services firms — to report substantial cyber incidents to CISA within 72 hours and ransom payments within 24 hours.
- The 72-hour clock starts when you “reasonably believe” a covered incident occurred, not when your investigation confirms it — which is harder to operationalize than it sounds.
- CIRCIA doesn’t replace any existing reporting requirement. If the same incident triggers FFIEC 36-hour, SEC 4-day, and CIRCIA, you’re filing three separate reports to three different recipients.
- The compliance effective date is expected 12–18 months after the May 2026 final rule publication — approximately late 2027 or early 2028 — which means your preparation window is now, not then.
One More Clock to Watch
If you run incident response for a financial institution, you already have a reporting timeline problem. A significant cybersecurity incident means you’re managing:
- FFIEC 36-hour rule: Notify your primary federal banking regulator within 36 hours if the incident materially disrupts or degrades banking operations.
- SEC 4-day rule: Public companies must file an 8-K disclosing a material cybersecurity incident within four business days of determining it’s material.
- NYDFS Part 500: Covered entities must notify NYDFS of a cybersecurity event within 72 hours — and NYDFS has been aggressive about enforcement, issuing $25M+ in fines across 9+ actions from 2025 through 2026.
- State breach notification laws: Notification to affected consumers and state attorneys general, with 30-90 day windows depending on jurisdiction.
And now, effective approximately late 2027 or early 2028: CIRCIA, requiring notification to CISA within 72 hours.
Each of these requirements has different trigger criteria, different recipients, different content requirements, and different clocks. Your incident response team will be managing all of them simultaneously during an active crisis. The organizations that do this well are the ones that built the matrix before the incident, not during it.
What CIRCIA Is and Where We Are
The Cyber Incident Reporting for Critical Infrastructure Act was signed by President Biden in March 2022. It directed CISA to develop mandatory incident reporting rules for entities across the 16 federally designated critical infrastructure sectors. The statute required CISA to issue a notice of proposed rulemaking within 24 months (met: the NPRM published April 4, 2024) and final rules 18 months after that (statutory deadline: October 4, 2025).
CISA missed the statutory deadline. Budget constraints, a partial government shutdown affecting DHS, and significant complexity in harmonizing CIRCIA with existing sector-specific reporting requirements pushed the final rule to May 2026. The final rule confirms the core timelines from the proposed rule: 72 hours for covered cyber incidents, 24 hours for ransom payments.
The compliance effective date — when covered entities are actually required to file — is expected 12 to 18 months after the May 2026 final rule publication. That puts actual compliance obligations at approximately late 2027 or early 2028. But designing and testing your reporting process takes months, and incident response procedures don’t get rebuilt overnight.
Who’s Covered
CIRCIA applies to “covered entities” across 16 critical infrastructure sectors, including:
- Financial services
- Healthcare and public health
- Energy
- Information technology
- Transportation
- Communications
- Critical manufacturing
Small business exemption: Entities meeting the Small Business Administration size thresholds for their sector are generally exempt. For most financial services firms, that means larger community banks, regional banks, national banks, broker-dealers, and fintechs with significant transaction volumes are in scope. A 10-person fintech with minimal assets and transaction volume may qualify for the small business exemption — but verify against the SBA size standards for your NAICS code before assuming you’re out.
For financial institutions that are already subject to the FFIEC 36-hour rule, SEC disclosure requirements, or NYDFS Part 500, CIRCIA adds a fourth notification leg, not a replacement.
What Must Be Reported: The “Covered Cyber Incident” Definition
This is where CIRCIA gets operationally complex. A “covered cyber incident” is a substantial cyber incident involving one or more of the following:
- Substantial loss of confidentiality, integrity, or availability of an information system or network
- Serious impact on the safety and resilience of operational systems and processes
- Disruption of business operations or service delivery capabilities
- Unauthorized access to information systems facilitated by a third party (supply chain compromise)
“Substantial” does significant interpretive work. CISA’s guidance is clear that minor outages, routine malware detections, and unsuccessful intrusion attempts don’t trigger CIRCIA. But the boundary between “significant disruption” and “minor degradation” is going to generate enforcement questions.
The supply chain compromise criterion is worth highlighting for financial services teams: if a critical third-party vendor — a payment processor, a core banking platform, a cloud provider — suffers a breach that results in unauthorized access to your systems, that may trigger CIRCIA reporting even if your own systems weren’t directly compromised. This is the Change Healthcare scenario. A supply chain event at a vendor becomes your CIRCIA reporting obligation.
The 72-Hour Clock: What Starts It and What to File
When the Clock Starts
The 72-hour clock starts when you reasonably believe a covered cyber incident has occurred — not when your investigation confirms it. This is important. You don’t need forensic certainty. You don’t need to know the full scope of the incident. If the available information leads a reasonable person to believe a covered incident may have occurred, the clock has started.
This is a deliberately lower standard than “confirmed.” The point is to get early situational awareness to CISA, even with incomplete information. Your initial CIRCIA report will be based on what you know at the time — you can file supplemental reports as the investigation develops.
The practical implication: your incident triage process needs to include a CIRCIA evaluation within the first few hours of an incident being identified, not at the 48-hour mark when your forensics team has a preliminary report.
What the Report Must Include
The initial CIRCIA report to CISA must include:
- Description of the covered cyber incident, including the category
- Date/time the incident began and was discovered
- Estimated impact
- Affected systems, networks, or data
- Security measures in place at the time of the incident
- Contact information for follow-up
Subsequent supplemental reports are required as significant new information becomes available, including when the investigation is concluded.
How to File
Reports go to CISA, not to your primary financial regulator. CISA is building a centralized online reporting portal. Financial institutions that also trigger the FFIEC 36-hour rule will file two separate reports to two separate recipients — one to their primary banking regulator (OCC, Federal Reserve, or FDIC) and one to CISA.
Ransom Payment Reporting: The 24-Hour Requirement
CIRCIA imposes a separate 24-hour reporting window for ransom payments. Any covered entity that makes a payment to a threat actor in response to a ransomware attack must notify CISA within 24 hours of making the payment.
This applies regardless of whether the underlying ransomware incident meets the “covered cyber incident” threshold. If you pay, you report — even if the encryption was limited enough that the incident itself would not have required a CIRCIA report.
The 24-hour window is very short. For financial institutions running incident response with general counsel and executive leadership involved in the ransom payment decision, you need a pre-built notification workflow that can execute within hours of a payment decision, not days.
The Multi-Regulator Reporting Matrix
This is the table your IR team should have laminated (or at least bookmarked):
| Requirement | Recipient | Trigger | Timeframe | Key Standard |
|---|---|---|---|---|
| CIRCIA | CISA | Substantial cyber incident or ransom payment | 72 hrs (incident) / 24 hrs (ransom payment) | “Reasonably believes” incident occurred |
| FFIEC 36-Hour Rule | Primary banking regulator (OCC/Fed/FDIC) | Computer-security incident that materially disrupts/degrades banking operations | 36 hours of determination | ”Determines” incident occurred |
| SEC 8-K (Rule 1.05) | SEC (public companies) | Material cybersecurity incident | 4 business days after determining material | ”Determines” materiality |
| NYDFS Part 500 | NYDFS | Cybersecurity event | 72 hours of determining a cybersecurity event occurred | ”Determines” event occurred |
| State breach laws | State AGs + consumers | Personal data breach | 30-90 days (varies by state) | Notice of breach affecting residents |
Key observations from this table:
- FFIEC 36-hour is faster than CIRCIA — if the same incident triggers both, you file with your banking regulator first, then with CISA.
- Different trigger standards — FFIEC and SEC require “determines”; CIRCIA requires “reasonably believes.” In practice, you may hit the CIRCIA trigger before you’ve made the formal determination that triggers FFIEC.
- Different recipients — these go to five different regulatory destinations. Your IR playbook needs to address all of them.
- NYDFS can run concurrently with CIRCIA — both have 72-hour windows from different trigger points. You may be filing two 72-hour reports on the same day.
Industry groups, including the Bank Policy Institute, have been vocal about the overlapping reporting burdens and have pushed CISA to harmonize CIRCIA with existing financial sector frameworks. CISA explicitly asked for input on harmonization in its 2026 town halls. Some coordination may occur before the effective date, but practitioners should plan for parallel reporting obligations until those harmonization efforts resolve.
How to Prepare Now
With the CIRCIA effective date approximately 18 months out, the preparation work is real. Here’s where to start:
1. Determine if you’re a covered entity
Map your organization to the CIRCIA critical infrastructure sectors. If you’re in financial services and exceed the SBA small business size standard, assume you’re in scope. Document your analysis.
2. Map current incident response procedures against CIRCIA
Review your IR playbook for existing incident classification criteria. Does your current “significant incident” definition align with CIRCIA’s “covered cyber incident” standard? Gap-test with a tabletop: would your team know within the first two hours whether CIRCIA reporting was likely triggered?
3. Build the coordinated notification checklist
Create a single reference document that maps every federal reporting obligation (CIRCIA, FFIEC 36-hour, SEC 4-day, NYDFS Part 500) to its trigger criteria, timing, recipient, required content, and responsible owner. Your IR team should be able to pull this up at 2am during an active incident and execute.
4. Assign the CISA reporting owner
Who in your organization files the CIRCIA report? It’s not the same person who calls your primary banking regulator. CISA is a separate recipient requiring a different notification with different content. Designate an owner, build the filing procedure, and test it.
5. Build a ransomware-specific protocol
The 24-hour ransom payment reporting window is the tightest clock in your entire reporting matrix. The decision to pay or not pay will involve legal, executive leadership, and external counsel. Your 24-hour notification protocol needs to be ready before you’re in the room making that decision.
6. Audit third-party incident notification clauses
CIRCIA’s supply chain compromise trigger means a vendor incident can create your CIRCIA reporting obligation. Review your critical vendor contracts: do they require the vendor to notify you within a timeframe that gives you enough lead time to meet your 72-hour CIRCIA clock?
7. Update your incident response plan
Add CIRCIA as a named regulatory obligation in your IR plan, alongside your existing FFIEC, SEC, NYDFS, and state breach law obligations. The Incident Response & Breach Notification Kit includes a multi-regulator notification checklist and pre-built playbook templates that you can update to incorporate CIRCIA as a named requirement. Get it at buy.stripe.com/8x26oA9Fh4ht7nDf1s6J207.
So What?
CIRCIA is not a replacement for any reporting requirement your financial institution already has. It’s an addition — a federal civilian cybersecurity intelligence collection mechanism with mandatory reporting tied to critical infrastructure. The 72-hour clock and the 24-hour ransom payment window are real obligations that will apply to most financial institutions with any significant scale.
The organizations that handle multi-regulator incident reporting well are the ones that don’t reconstruct the reporting matrix at 3am during an active breach. They have it pre-built, tested, and practiced. CIRCIA gives you approximately 18 months before the compliance effective date. That’s enough time to do this right — if you start now.
Related Reading
- FFIEC 36-Hour Incident Notification Rule: What Banking Organizations Must Report, When, and to Whom
- Ransomware Incident Response Playbook: The 24-Hour Checklist for Financial Institutions
- Incident Triage Techniques: Severity Classification, Materiality, and the SEC 4-Day Clock
Sources: CISA CIRCIA FAQs | Davis Wright Tremaine: CISA Delays Cyber Incident Reporting Rules Until May 2026 | Fisher Phillips: New Federal Cybersecurity Reporting Rules FAQs | Alation: CIRCIA Compliance Guide 2026 | VaasBlock: CIRCIA Final Rule 2026 — 72-Hour Reporting for 300,000 Companies
◆ Related template
Incident Response & Breach Notification Kit
Step-by-step incident response playbooks and breach notification templates for all 50 states.
◆ Immaterial Findings · Weekly
Sharp risk & compliance insights. No fluff.
◆ FAQ
Frequently asked questions.
What is CIRCIA and when does it take effect?
Does CIRCIA apply to banks and fintechs?
What triggers the 72-hour reporting clock under CIRCIA?
How does CIRCIA's 72-hour requirement interact with the FFIEC 36-hour rule?
What is the ransom payment reporting requirement?
What should financial institutions do now to prepare for CIRCIA?
Author
Rebecca Leung
Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.
◆ Related framework
Incident Response & Breach Notification Kit
Step-by-step incident response playbooks and breach notification templates for all 50 states.
◆ Keep reading
Related posts.
Incident Response
AI-Powered BEC Stole $3 Billion in 2025: What Your Incident Response Playbook Is Missing
The FBI's 2025 IC3 report logged $3.046 billion in BEC losses—86% via wire or ACH—with AI now generating the emails, cloning the voices, and running the deepfakes. Most financial institution IR playbooks were written before this threat existed. Here's the gap analysis and what to add before the next one hits.
Jul 8, 2026
Incident Response
KYC in the Deepfake Era: Why Document + Selfie Verification Is Failing and What Actually Works
FinCEN's November 2024 alert formally put financial institutions on notice that AI-generated deepfakes are bypassing KYC onboarding at scale. Here's what's failing in the document+selfie stack, what examiners expect, and which controls are working in 2026.
Jul 5, 2026
Incident Response
Breach Notification Letter Template: What the Law Requires, What Regulators Charge For, and Why Your Approval Process Fails Under Pressure
The content of a breach notification letter isn't optional — multiple regulatory frameworks specify exactly what must be in it, and enforcement actions from the FTC, SEC, and CFTC show how specific the mistakes regulators will charge you for. Here's what goes in the letter and how to build an approval process that holds up when the 30-day clock is running.
Jul 3, 2026