Guideline for Reporting a Cyber Incident

In our last blog post, we covered the best practices for creating and implementing an Incident Response Plan (IRP). As a follow-on to that post, we’d like to share insight on the steps an organization can take for reporting a cyber incident. Any incident that has the potential to cause significant damage to the confidentiality, integrity, or availability of an organization’s data may be reported to the federal government. If the incident was deliberate then it should be reported.

What and when to report

It’s important to know the legal reporting requirements (such as notifying investors or impacted customers) as well as the reporting timeline (in some cases only days) for the organization’s specific industry. Otherwise, organizations run the risk of incurring damaging fines that could potentially magnify the financial impact of the incident to the organization. This rings especially true in industries like healthcare and financial services that have federally mandated reporting requirements.

Information that should be included in a cyber incident report may include: the affected organization’s name, the type of incident that occurred (phishing, etc), who experienced the incident, when the incident was initially detected, types of data impacted, and the response actions the organization has taken already.

How to report a cyber incident

There are a few mediums available to private sector organizations for reporting a cyber incident. These include the National Cybersecurity and Communications Integration Center (NCCIC), the affected organization’s local FBI Field Office Task Force, the FBI’s Internet Crime Complaint Center (IC3), and the organizations local Secret Service Field Offices and Electronic Crimes Task Force (ECTF).

What happens after a reported cyber incident?

Internally, once an incident has been isolated and reported, the organization should work to restore its data and services with the goal of becoming operational again as quickly as possible. There is often a policy requirement for the organization to conduct an After Action Review (AAR) to determine why the incident occurred (was it an accident or intentional?), and what steps the organization is taking to prevent a similar cyber attack in the future.

Why report a cyber incident?

C-level executives often struggle when determining if they should report a cyber incident to the federal government, and how much information they should share. Reporting a suspected cyber incident is often the ethical thing to do and may help to protect the organization’s reputation and finances. The organization should be honest in its reporting but also be cautious of over-sharing information that is not required.

The appropriate federal agencies should work to help the affected organization understand the incident, link related incidents, and share information to help resolve the situation while protecting the privacy of the affected organization. Ideally, the government will share information about the incident and its impact with the organization’s peers, which can help prevent the same incident for occurring elsewhere.

A cyber incident can have serious consequences. That’s why it’s important for an organization to have an Incident Response Plan in place, as well as be prepared to report the incident to the appropriate federal agency. The goal is to minimize the damage to your organization as well as to those who are potentially impacted by the cyber incident.