Interested in training for your team? Click here to learn more

Cybersecurity Incident Reporting for Critical Infrastructure Act: Reporting Timeframes, Liability Protection, Enforcement

Security Controls, Incident Response Team, Communication Plans, Evidence Preservation, Legal and Evidentiary Privileges

Recording of a 90-minute CLE video webinar with Q&A

This program is included with the Strafford CLE Pass. Click for more information.
This program is included with the Strafford All-Access Pass. Click for more information.

Conducted on Thursday, June 30, 2022

Recorded event now available

or call 1-800-926-7926

This CLE course will discuss the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The panel will address when businesses must report to the Cybersecurity and Infrastructure Security Agency (CISA), the reporting timeframes, liability protections, and enforcement. The panel will discuss how this new regulation will affect data governance and incident response plans.


CIRCIA, passed as part of the omnibus spending bill on Mar. 15, 2022, will require critical infrastructure companies--which could include financial services companies, energy companies, and other key businesses for which a disruption would impact economic security or public health and safety--to report any substantial cybersecurity incidents or ransom payments to the federal government within 72 and 24 hours, respectively.

CIRCIA establishes reporting requirements for entities that (1) have experienced a "covered cyber incident" and (2) meet the definition of a "covered entity." "Covered entity" is not yet fully defined, but will likely include those that belong to any of the 16 critical infrastructure sectors defined by DHS.

CIRCIA also clearly establishes the timing involved when a report must be made and includes limited liability protection for entities that report an incident to CISA.

CIRCIA does provide an exception for entities that are already required by law, regulation, or contract to report substantially similar information to another federal agency within a similar timeframe, as long as there is an agreement in place between CISA and the other agency. State breach reporting obligations and reports to European privacy regulators will likely not trigger the exception, and organizations filing such reports likely will still need to report to CISA.

Listen as our expert panel discusses all of the new obligations under CIRCIA, the best practices to mitigate risks if noncompliant, and what the likely outcome of regulation of this Act will be.



  1. Cyber Incident Reporting for Critical Infrastructure Act
    1. Cybersecurity and Infrastructure Security Agency
  2. Defined terms
    1. Covered cyber event
    2. Covered entity
  3. Timing
  4. Continued reporting
  5. Liability protection
  6. Confidentiality
  7. Exceptions to reporting requirement
  8. Mitigating risks and best practices


The panel will address these and other important issues:

  • What is the history of CIRCIA and its regulatory agency?
  • How is "covered entity" defined in CIRCIA?
  • What risks are associated with failure to report in a timely manner?
  • What exceptions to reporting exist under CIRCIA?


Christensen, Guillermo
Guillermo Christensen

Office Managing Partner
Ice Miller

Mr. Christensen combines his experience as a former CIA intelligence officer, a diplomat with the U.S. Department of...  |  Read More

Desai, Shardul
Shardul Desai

Holland & Knight

Mr. Desai is a cybersecurity, data privacy, and white collar defense and government investigations attorney. He has...  |  Read More

Jones, Christopher K.
Christopher K. Jones

Sands Anderson

Working with corporations of all sizes, as well as insurers and their insureds, Mr. Jones handles the litigation needs...  |  Read More

Access Anytime, Anywhere

Strafford will process CLE credit for one person on each recording. All formats include course handouts.

To find out which recorded format will provide the best CLE option, select your state:

CLE On-Demand Video