Question 1

What qualifies as a cybersecurity incident?

Accepted Answer

A cybersecurity incident is any event that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the data it processes, stores, or transmits. This includes confirmed data breaches where personally identifiable information (PII), protected health information (PHI), or financial data is accessed by unauthorized parties; ransomware attacks that encrypt systems and demand payment; unauthorized access to networks, servers, or cloud environments; phishing campaigns that result in credential compromise; distributed denial-of-service (DDoS) attacks that disrupt operations; insider threats where employees or contractors misuse their access privileges; malware infections including trojans, worms, and spyware; supply chain compromises affecting third-party software or services; and the loss or theft of devices containing sensitive data. Even suspected incidents — such as anomalous network traffic, unexpected privilege escalations, or alerts from intrusion detection systems — should be documented and investigated because early detection dramatically reduces the scope and cost of a breach.

Question 2

What data breach notification laws apply to cybersecurity incidents?

Accepted Answer

All 50 U.S. states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands have enacted data breach notification statutes that require organizations to notify affected individuals when their personal information is compromised. The specific requirements vary by state but generally mandate notification within 30 to 90 days of discovering the breach. Many states also require notification to the state attorney general, and some require notification to consumer reporting agencies if the breach affects a large number of residents (typically 500 or more in a single state). Beyond state laws, sector-specific federal regulations impose additional requirements: HIPAA requires covered entities to notify HHS and affected individuals within 60 days for breaches affecting 500+ people; the Gramm-Leach-Bliley Act requires financial institutions to notify customers of unauthorized access; SEC rules require publicly traded companies to disclose material cybersecurity incidents on Form 8-K within four business days of determining materiality; and the Federal Trade Commission enforces breach notification requirements under its authority over unfair and deceptive practices.

Question 3

How does the NIST Cybersecurity Framework relate to incident reporting?

Accepted Answer

The NIST Cybersecurity Framework (CSF) provides the most widely adopted structure for organizing cybersecurity incident response. The framework's five core functions — Identify, Protect, Detect, Respond, and Recover — map directly to the incident reporting lifecycle. The Detect function encompasses the monitoring and alerting capabilities that identify incidents. The Respond function includes incident analysis, containment, eradication, communication, and reporting. The Recover function covers restoration of services and implementation of improvements. Within the Respond function, NIST SP 800-61 (Computer Security Incident Handling Guide) provides detailed guidance on incident documentation, including what to record in the incident report, how to preserve evidence for forensic analysis, and how to coordinate with law enforcement. Organizations that align their incident reporting process with NIST can demonstrate due diligence to regulators, insurers, and auditors. Many cyber insurance policies now explicitly require NIST-aligned incident response procedures as a condition of coverage.

Question 4

What evidence should be preserved during a cybersecurity incident?

Accepted Answer

Digital evidence preservation is critical and must begin immediately — before containment actions that might alter or destroy forensic artifacts. Evidence to preserve includes: system logs (firewall, IDS/IPS, authentication, application, and operating system logs) covering the period before, during, and after the incident; full disk images of compromised systems captured using forensically sound methods that maintain chain of custody; memory dumps from running systems that may contain malware, encryption keys, or evidence of active sessions; network traffic captures (PCAP files) showing data exfiltration or command-and-control communications; email headers and message bodies from phishing attacks; malware samples isolated in quarantine; screenshots of ransom notes, defaced websites, or unauthorized access; access logs showing login times, IP addresses, and user account activity; cloud provider logs (AWS CloudTrail, Azure Activity Log, GCP Audit Logs); and any communications with the attacker. All evidence should be documented with hash values (SHA-256), timestamps, and the name of the person who collected it. Use write-blockers for disk imaging and maintain an unbroken chain of custody log, because evidence may be needed for criminal prosecution, civil litigation, or regulatory enforcement.

Question 5

When should law enforcement be contacted about a cybersecurity incident?

Accepted Answer

Law enforcement should be contacted when the incident involves criminal activity — which includes most data breaches, ransomware attacks, unauthorized access, and insider theft of trade secrets. The FBI's Internet Crime Complaint Center (IC3) accepts reports of all cyber crimes. For ransomware specifically, the FBI and CISA jointly recommend reporting to IC3 and to the local FBI field office, even if the organization does not intend to pay the ransom. The Secret Service investigates financial crimes including payment card fraud and business email compromise. For incidents involving critical infrastructure, CISA should be notified directly. Contacting law enforcement does not mean losing control of the investigation — agencies typically work cooperatively with the victim organization and can provide threat intelligence, decryption keys (in some ransomware cases), and assistance with attribution. However, organizations should coordinate with legal counsel before contacting law enforcement to understand the implications for privilege, regulatory obligations, and potential liability. Many cyber insurance policies require the insured to notify the carrier before engaging law enforcement to ensure coverage is preserved.

Question 6

What are the SEC cybersecurity disclosure requirements?

Accepted Answer

In July 2023, the SEC adopted rules (Release No. 33-11216) requiring publicly traded companies to disclose material cybersecurity incidents on Form 8-K within four business days of determining that the incident is material. Materiality is assessed under the traditional securities law standard — whether a reasonable investor would consider the information important in making an investment decision. The disclosure must describe the nature, scope, and timing of the incident and its material impact or reasonably likely material impact on the company's financial condition, results of operations, and business. Companies must also disclose their cybersecurity risk management processes, strategy, and governance in their annual 10-K filing, including whether the board of directors has cybersecurity expertise and how management assesses and manages cyber risk. The cybersecurity incident report is the internal document that provides the factual foundation for determining materiality and drafting the 8-K disclosure. Organizations should ensure their incident report captures enough detail about business impact, data exposure, and remediation costs to support the materiality analysis.

Question 7

How should a cybersecurity incident report document the attack timeline?

Accepted Answer

The attack timeline is the backbone of a cybersecurity incident report and should be reconstructed in granular detail using forensic evidence. The timeline typically covers five phases: initial access (how the attacker gained entry — phishing email, exploited vulnerability, compromised credentials, supply chain vector), with the date, time, and method documented; persistence (how the attacker maintained access — backdoor installation, credential harvesting, scheduled tasks, registry modifications); lateral movement (how the attacker moved through the network — RDP connections, pass-the-hash, exploitation of internal services); data staging and exfiltration (what data was accessed, copied, compressed, or transmitted out of the network, with file names, sizes, and destination IP addresses); and impact (encryption of systems, data destruction, defacement, or operational disruption). Each event on the timeline should cite the specific log source, artifact, or forensic finding that supports it. Use UTC timestamps consistently to avoid confusion across time zones. The timeline should also document the defender's actions: when the incident was detected, who was notified, what containment measures were taken, and when systems were restored.

Question 8

What role does cyber insurance play in incident reporting?

Accepted Answer

Cyber insurance policies impose specific requirements on policyholders regarding incident reporting and response. Most policies require the insured to notify the carrier's claims department within 24 to 72 hours of discovering a potential incident — not after the investigation is complete. Early notification is typically a condition of coverage; delayed notification can be used by the insurer to deny or limit the claim. The policy may designate a panel of pre-approved forensic investigators, breach counsel, and notification vendors that the insured must use (or at least consult) to receive full reimbursement. The incident report must document costs that are covered under the policy, which typically include forensic investigation, legal fees for breach notification compliance, credit monitoring for affected individuals, crisis communications, business interruption losses, and — in some policies — ransom payments. The incident report should clearly distinguish between first-party losses (the insured's own costs) and third-party claims (lawsuits and regulatory fines), because these are often covered under different policy sections with separate limits and retentions.

Free Cybersecurity Incident Report Forms

What Is a Cybersecurity Incident Report?

Breach Notification Compliance

Forensic Evidence Chain

NIST-Aligned Response

Cybersecurity Incident Report Form Preview

CYBERSECURITY INCIDENT REPORT

Key Components of a Cybersecurity Incident Report

Incident Classification and Severity

Attack Vector and Indicators of Compromise

Affected Systems and Data Inventory

Containment, Eradication, and Recovery

Legal and Regulatory Analysis

Forensic Evidence and Chain of Custody

How to Write a Cybersecurity Incident Report

Activate the incident response plan and assign roles

Preserve evidence before containment

Contain and eradicate the threat

Assess data exposure and notification obligations

Compile the formal incident report

Conduct lessons learned and update controls

Frequently Asked Questions

Official Resources

Create your Cybersecurity Incident Report in under 10 minutes.