Because cyber threats continue to grow in sophistication and effectiveness, cyber incident reporting is not only important but also necessary for other organizations to learn from and prevent making the same mistakes. Many governing bodies and federal governments around the world have begun to require cyber incident reporting to document the type of attacks used, the source of the attacks, and how the attacks occurred to better understand the threat landscape.
This article will discuss why cyber incident reporting is important, when an organization should do it, and what needs to be included in the report.
What is Cyber Incident Reporting?
Cyber incident reporting is when an organization that has been affected by a cyber attack, data breach, data leak, or any situation where sensitive information was exposed, reports the incident to the proper parties, which typically include stakeholders, law enforcement, affected customers, business partners, and government officials.
Incident reports typically include details of the incident, including when it happened, how it occurred, who or what was affected, and the scope of the breach. The report is then used to assess the incident, in which the information is used to determine new security policies, compliance standards, or other risk management strategies.
The Importance of Cyber Incident Reporting
Incident reporting is important because it provides a way for organizations and businesses to document, respond, and learn from a cyber attack. Incident reporting should be part of every organization’s security program as part of the incident response process.
Additionally, security incident reporting should be done as soon as the attack has been detected, with all affected and related parties notified immediately. In many cases, businesses or individuals fail to do so out of embarrassment or fear that they will lose customer trust. However, the faster an incident is reported, the faster officials and authorities can support you or your organization in responding to the attack.
Here are the top reasons why organizations need to report cyber incidents.
Maintain Regulatory Compliance
Federal laws, such as the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) or GDPR, require critical infrastructure organizations to report incidents promptly, no later than 72 hours after the incident. Cyber incident reporting is also mandatory in highly-regulated sectors, such as healthcare and finance, and failure to do so often results in costly penalties.
All organizations facing regulatory scrutiny for data protection need appropriate monitoring systems, reporting processes, documented incident response plans, and disaster recovery plans to help diagnose, contain, and repair the damage.
The goal of these federal mandates isn’t to punish respective businesses for failure to secure their systems, but to “enhance the situational awareness of cyber threats” and “facilitate information sharing” for all businesses and governments. They encourage non-covered entities (non-infrastructure, private organizations) to voluntarily report all incidents to better understand the latest cyber threats and to advance new initiatives aimed to protect sensitive data.
Improve Risk and Threat Awareness
Cyber incident reports aren’t just documentation of a particular cyber attack — they can also serve as a framework for other businesses to learn from and improve their risk management programs. In the world of cybersecurity, all businesses should be working together to fight against cybercrime and limit the scope of attacks from threat actors.
In many cases, the business or individual has no realization or understanding of the cyber attack and fails to report it entirely. The more the incident is reported in the media, the higher likelihood that more individuals will recognize signs of a cyber attack and hopefully begin to improve their personal and professional cybersecurity practices.
A full incident report also helps IT professionals better understand the cyber threat landscape and how to mitigate new cyber risks. Especially if a business suffered a zero-day vulnerability, the incident report could detail the nature of the vulnerability, how it was exploited, and what patches are needed to resolve the vulnerability.
Build Trust With Clients, Customers, and Stakeholders
Any business handling customer data should take care to protect its customers and ensure that their information is safely secured. This includes being transparent and honest when they have experienced a data breach, regardless of the cause of the incident. Reporting a cyber incident can build trust with the organization’s patients, clients, customers, and stakeholders that they are handling the incident with professionalism and urgency.
Although the cyber attack may initially be frowned upon or criticized, organizations need to remember that no business in the world is completely protected against threats and that even the largest corporations suffer security breaches.
Protect Business Relationships
An organization’s attack surface includes its third-party service providers. Any organization that has suffered a cyber incident needs to report it to all of its business partners to ensure that they are also protecting themselves. No matter how well organizations are secured internally, a breached external third party could still potentially compromise their entire network.
More importantly, failure to report an incident could also affect business relationships negatively and potentially throughout the entire industry since the affected organization can put the entire supply chain at risk, including all third and fourth parties.
Ensure Prompt Remediation Action
Many reporting requirements require a swift and thorough diagnosis of the incident after it has occurred. Although in many cases, data breaches are not detected until a few months after it has happened, the moment it has been detected, incident response plans detailing reporting processes should be triggered immediately.
Once the incident is reported, the organization is on record and required to follow up regarding containment and mitigation steps. Additionally, federal agencies, such as the Information Commissioner’s Office (ICO) or the Office for Civil Rights (OCR), can often provide additional resources to help the organization respond to the attack.
This process can help individuals and organizations avoid cyber threats in the future by performing a full (and in some cases mandated) investigation on how and why the incident occurred.
When to Report a Cyber Incident
While having as much information as possible about the cyber incident will facilitate getting help, organizations should report cyber incidents promptly within a certain timeframe (usually within 72 hours), even if not all the information is available. A company may report multiple times as the situation evolves, and it’s better to start this process sooner rather than later so the organization can alert all affected parties.
According to the Department of Homeland Security (DHS), victims of cybercrime are encouraged to report cyber incidents as soon as possible if there is a chance of the following:
- Significant loss of data, information system availability, or control
- A substantial number of affected people
- Unauthorized access to critical information technology systems
- Malicious software on critical IT systems
- Compromise of core government functions or critical infrastructure
- Compromise of public health and safety, national security, or economic security
Whether the incident has already happened, is ongoing, or is suspected, a dedicated threat response team (internal or external) should consider whether it meets any of the listed criteria. The goal of prompt reporting is to contain the breach, reduce the chances of data loss, and ensure minimal business disruptions.
Important cyber incident reporting timeframes include:
- US Critical infrastructure (under CIRCIA) - 72 hours
- Healthcare entities (under HIPAA) - 60 days
- Banking organizations (under the FDIC’s Final Rule) - 36 hours
- EU organizations (under GDPR) - 72 hours
- Australian Critical infrastructure (under SOCI Act) - 72 hours
- Indian organizations (under IT Act) - 6 hours
What To Include in a Cyber Incident Report
The fundamental information that will help officials in the event of a cyber incident should include the following:
- The name and contact details of the reporting party (and designated point of contact)
- The organization’s details (name, industry, size, etc.)
- The type of incident (code injection, DDoS attack, malware attack, etc.)
- The start date and time of the cyber incident
- The attack vector or exploited vulnerability, if known
- How the cybersecurity incident was discovered, and by whom
- The assets impacted by the cyber incident
- Operational constraints or business disruptions
- Response actions the organization has taken so far
- Who else has the organization notified (including all law enforcement agencies)
- Ransom demands, if any
The more details a business can share, the better, as long as it is relevant to the incident. Sharing the following technical details can help protect the public and expedite data or system recovery:
- Computer system log files
- Affected operating systems
- Ports involved in the cyber incident
- Unauthorized system access or repeated attempts for unauthorized access
- Denial of Service attacks with a duration exceeding 12 hours
- The appearance of malicious code
- Scanning of system services
- Phishing attempts — successful or not, CISA works with the Anti-Phishing Working Group (APWG) and collects phishing emails, SMS messages, and websites
- Detailed reports regarding ransomware against critical infrastructure
Where to Report a Cyber Incident
According to the Department of Homeland Security (DHS), entities required by law (or a contract) to report cybersecurity incidents should comply with this obligation first.
- CISA Incident Reporting System for all critical infrastructure, including agriculture, chemical services, commercial facilities, communications, manufacturing, defense, emergency services, energy, financial services, food, government, information, nuclear, public health, transportation, water, and waste
- US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) for all healthcare entities
- Designated FDIC (Federal Deposit Insurance Corporation) contact or assigned FDIC examination team for all banking and financial organizations
- ENISA (European Union Agency for Cybersecurity) for EU organizations
- CERT-In (Computer Emergency Response Team India) for Indian businesses
Voluntary reports can also be made to the relevant federal point of contact, including: