The US Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) took effect in May 2026, requiring covered critical infrastructure entities to report significant cyber incidents within 72 hours and ransomware payments within 24 hours. The mandate is accelerating demand for cyber insurance and reshaping how businesses, insurers, and regulators respond to a threat landscape where AI is intensifying both attack sophistication and underwriting complexity.
A landmark shift in US cybersecurity policy is now reshaping how businesses and insurers manage digital risk. The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) took effect in May 2026, establishing mandatory reporting requirements for entities operating in critical infrastructure sectors. Under the law, covered entities must report significant cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours, and ransomware payments within 24 hours. The regulation represents one of the most significant federal cybersecurity mandates in US history.
The reporting requirement is accelerating an already fast-growing cyber insurance market. Regulatory mandates like CIRCIA โ alongside the EU's Digital Operational Resilience Act (DORA) for financial services and a wave of state-level cybersecurity legislation โ are compelling organizations to purchase cyber coverage as part of their compliance programs. The World Economic Forum's 2026 Global Cybersecurity Outlook found that only about 19% of organizations rate their cyber resilience above regulatory expectations, while 17% acknowledge falling below minimum standards โ a protection gap that directly translates into insurance demand.
The broader cyber insurance market is expanding rapidly. Munich Re estimates global cyber insurance premiums reached approximately $15 billion in 2025 and projects growth exceeding 10% annually through 2030, potentially reaching $28 billion. The reinsurer identifies ransomware, data breaches, business email compromise, and distributed denial-of-service attacks as the primary drivers of insured cyber losses. Despite this growth, softening market conditions and intense competition are expected to push average premiums lower in 2026, making coverage more affordable even as demand rises.
Artificial intelligence is fundamentally reshaping the cyber landscape on both sides. Threat actors are deploying AI-powered tools for more effective ransomware campaigns and increasingly sophisticated deepfake-enabled fraud, while insurers use AI and machine learning to build more granular, dynamic underwriting models and detect fraudulent patterns. Carriers are also tightening policy language around contingent business interruption coverage and non-breach privacy claims, and at least one insurer has introduced a standalone AI policy. For businesses navigating this environment, the combination of new regulatory obligations and evolving threats makes robust cyber risk management and adequate insurance coverage a strategic necessity rather than an optional safeguard.
Key Points
- 1CIRCIA took effect in May 2026, requiring covered critical infrastructure entities to report cyber incidents within 72 hours
- 2Ransomware payments must be reported within 24 hours under the new law
- 3Only about 19% of organizations rate their cyber resilience above regulatory expectations (WEF 2026)
- 4The global cyber insurance market reached roughly $15 billion in premiums in 2025 (Munich Re)
- 5AI is increasing both attack sophistication and insurer underwriting precision
Why This Matters
CIRCIA's 72-hour reporting mandate fundamentally changes how US critical infrastructure operators must respond to cyberattacks, with significant compliance implications for utilities, financial firms, healthcare providers, and more. For the insurance industry, mandatory reporting drives demand for cyber coverage while also improving the data available for underwriting. For businesses of all sizes, the combination of new legal obligations and AI-intensified threats makes cyber insurance and resilience planning essential.
Related Stories
US Federal Reserve Holds Rates but Dot Plot Flips Hawkish; Half of FOMC Now Sees a 2026 Hike
June 17, 2026
Corebridge and Equitable to Merge in $22 Billion All-Stock Deal Creating US Retirement Giant
March 26, 2026
US Mortgage Rates Hold in Mid-6% Range as Inflation Hits Three-Year High
June 30, 2026
UK FCA's Landmark 'Targeted Support' Regime Goes Live to Close the Advice Gap
April 6, 2026
Daily Intelligence
The PolicyGlobal Daily Brief
Get the top 5 insurance and finance stories every morning, curated and verified by our editorial desk. No spam. Unsubscribe anytime.
Informational newsletter only. Not financial advice. Disclaimer