Randy Sabett, Erin Whitmore
Session Time: Wed, May 6, 2026: 02:30 PM – 03:30 PM
When the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCA) passed, it brought the U.S. in line with other countries that already have mandatory cyber incident reporting. Under CIRCIA, covered entities in critical infrastructure sectors must report substantial cyber incidents to CISA within 72 hours of discovery and ransomware payments within 24 hours. As many of us know, such deadlines place incredible pressure on the victim organization.
From a broad policy perspective, CIRCIA will likely increase the burden on those covered entities. For example, reports to CISA must include nature and impact of the incident, vulnerabilities exploited, and mitigation steps. CIRCA grants CISA authority to issue subpoenas for non-compliance and provides liability protections for good-faith reporting. What does this mean for critical infrastructure companies? Further, what does it mean for companies in the critical infrastructure supply chain? This session will cover these and other challenging questions around CIRCIA.
Randy Sabett, Special Counsel, Cooley
Erin Whitmore, Managing Director, Executive Risk & Strategic Intelligence, Cypfer
Reading Materials:
