Am I legally required to report and respond to cyber attacks?

Definitely.  At this point all states have breach notification laws that will require you to notify affected parties and provide remediation services.  These laws may even require you to notify several attorneys general. These laws differ from state to state and you'll have to comply with all statutes relevant to the incident - not just the law in your home state.  It's pretty daunting, which is why a cyber insurer taking care of all this and paying the bills is a deal you should really consider.