The Breach That Nobody Reported for 72 Days

In 2023, the SEC charged SolarWinds' CISO with fraud partly because the company allegedly downplayed the severity of a cyber incident and failed to disclose material risks. That case sent shockwaves through every boardroom in America. It proved something I've been telling organizations for years: how you report a cyber incident matters almost as much as how you respond to one.

If you're reading this, you probably suspect — or already know — that something bad happened on your network. Maybe a phishing email got through. Maybe ransomware locked your files. Maybe a vendor just told you your data was exposed. Whatever brought you here, you need a clear, actionable process for reporting what happened to the right people, in the right order, at the right time.

This guide walks you through exactly how to report a cyber incident — internally, to law enforcement, and to regulators — based on real frameworks, real requirements, and hard lessons from organizations that got it wrong.

What Counts as a Reportable Cyber Incident?

Before you can report, you need to know what qualifies. Not every suspicious email is a reportable event. But the threshold is lower than most people think.

A cyber incident is any event that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the data it processes. That definition comes directly from CISA's cyber incident reporting guidance. In practical terms, here's what that includes:

  • Ransomware attacks — even if you didn't pay and restored from backup.
  • Credential theft — compromised passwords, especially for privileged accounts.
  • Business email compromise (BEC) — a threat actor impersonating an executive to redirect wire transfers.
  • Unauthorized access — someone got into systems they shouldn't have, even if nothing was visibly stolen.
  • Data exfiltration — confirmed or suspected transfer of sensitive data to an external location.
  • Denial-of-service attacks — that disrupted business operations.
  • Supply chain compromise — a vendor or software provider was breached, and your data was affected.

If you're unsure, report it anyway. I've never seen an organization get in trouble for over-reporting. I've seen plenty get burned for under-reporting.

Step 1: Document Everything Before You Touch Anything

I've watched incident responders lose critical evidence because someone panicked and reimaged a server before preserving logs. Don't be that person.

The moment you suspect an incident, start a written timeline. Note the exact date and time you discovered the issue, who discovered it, what they observed, and what systems appear affected. Take screenshots. Photograph error messages on screens. Save email headers.

What to Capture Immediately

  • Date and time of discovery (use UTC if you operate across time zones).
  • How the incident was detected — alert, user report, external notification.
  • Which systems, accounts, or data sets are involved.
  • Any indicators of compromise (IOCs): IP addresses, file hashes, suspicious domains.
  • Actions already taken — did someone unplug a machine, reset a password, contact a vendor?

This documentation becomes the foundation for every report you'll file — internal, law enforcement, and regulatory. Get it right now, and you'll save yourself dozens of painful hours later.

Step 2: Activate Your Internal Incident Response Plan

If your organization has an incident response plan, now is when you use it. If you don't have one, that's a problem you'll fix after this fire — but right now, here's the minimum internal reporting chain:

Notify your IT security team or CISO immediately. If you're a small business without dedicated security staff, notify your IT lead or managed service provider. Then escalate to executive leadership — your CEO, COO, or general counsel needs to know within hours, not days.

The 2024 Verizon Data Breach Investigations Report found that 68% of breaches involved a human element, including social engineering and credential abuse. That means your employees are both your first line of defense and your most likely attack surface. They need to know how to escalate suspicious activity fast — before a phishing email turns into a full-blown data breach.

This is exactly why investing in ongoing cybersecurity awareness training for your entire workforce isn't optional. People who've been trained recognize incidents faster and report them sooner.

Step 3: Report to Law Enforcement

Here's what actually happens when you call the FBI about a ransomware attack: they take you seriously. I've worked with organizations that delayed reporting because they were embarrassed or afraid of bad press. Every single one of them later told me they wished they'd called sooner.

FBI Internet Crime Complaint Center (IC3)

File a report at ic3.gov. The FBI's IC3 received over 880,000 complaints in 2023, with reported losses exceeding $12.5 billion. They track patterns across incidents and can sometimes recover stolen funds — especially in BEC cases — if you report quickly.

For BEC wire fraud specifically, contact your bank immediately and file an IC3 complaint within 72 hours. The FBI's Recovery Asset Team has a roughly 70% success rate on frozen funds when incidents are reported fast.

Your Local FBI Field Office

For serious incidents — ransomware, nation-state activity, large-scale data breaches — call your local FBI field office directly. Don't just file online. A phone call gets human attention faster.

CISA

Report incidents to CISA at cisa.gov/report. Under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), critical infrastructure entities will soon face mandatory reporting timelines — 72 hours for incidents, 24 hours for ransomware payments. Even if your organization isn't in critical infrastructure, CISA provides valuable technical assistance and threat intelligence sharing. Reporting to them helps the broader community.

U.S. Secret Service

If your incident involves financial fraud, payment card data, or cryptocurrency theft, the Secret Service has dedicated cyber fraud task forces. Contact your nearest field office.

How to Report a Cyber Incident to Regulators

SEC Requirements

Publicly traded companies must disclose material cybersecurity incidents within four business days of determining materiality, under the SEC's rules that took effect in December 2023. This isn't four days from discovery — it's four days from when you determine the incident is material. But don't use that distinction as an excuse to delay your materiality assessment.

State Data Breach Notification Laws

All 50 U.S. states have data breach notification laws, and they vary wildly. Some require notification within 30 days. Others give you 60 or 90. A few — like Florida — require notification within 30 days and impose fines up to $500,000 for failure to comply.

If personal information of residents in multiple states was exposed, you may need to comply with several different notification laws simultaneously. This is where legal counsel earns their fee.

HIPAA

Healthcare organizations must report breaches of protected health information (PHI) affecting 500+ individuals to HHS within 60 days. Smaller breaches still require annual reporting.

FTC

If your organization made privacy or security promises to consumers and failed to keep them, the FTC may have jurisdiction. The Health Breach Notification Rule also requires certain non-HIPAA-covered entities to report breaches to the FTC.

Step 4: Notify Affected Individuals

This is the part nobody enjoys. But transparency matters — legally and ethically.

Your notification should include: what happened, what data was exposed, what you're doing about it, and what steps the affected person should take (monitor credit reports, change passwords, enable multi-factor authentication). Be specific. Vague notifications erode trust faster than the breach itself.

Don't wait for your investigation to be 100% complete before notifying. If you know personal data was compromised, start the notification process. You can always provide updates as you learn more.

Step 5: Preserve Evidence for Investigation

This runs parallel to reporting, not after it. Work with your legal team to establish attorney-client privilege over your forensic investigation. Engage a qualified digital forensics firm if the incident is significant.

Preserve firewall logs, email server logs, endpoint detection data, Active Directory logs, and any malware samples. Do not wipe affected systems until your forensics team clears them. Chain of custody matters if this ever goes to court — and in serious breaches, it often does.

The Reporting Timeline That Actually Works

Here's the sequence I recommend based on years of incident response work:

  • Hour 0-1: Document what you know. Notify internal IT/security leadership.
  • Hour 1-4: Brief executive leadership and legal counsel. Activate incident response plan. Begin evidence preservation.
  • Hour 4-24: File reports with FBI IC3 and CISA. Contact your local FBI field office for serious incidents. Begin materiality assessment (SEC-regulated companies).
  • Day 1-3: Engage forensics firm. Determine scope of data exposure. Begin drafting notification letters.
  • Day 3-30: Comply with applicable state breach notification laws. File regulatory reports (SEC, HHS, etc.). Notify affected individuals.

These timelines compress dramatically for ransomware. If a threat actor is actively in your network, you may be making law enforcement calls within the first hour.

Mistakes That Make Cyber Incident Reporting Worse

Paying Ransomware Without Reporting

Paying a ransom without notifying law enforcement doesn't just miss an opportunity for help — it can create legal exposure. OFAC sanctions mean paying certain threat actor groups is potentially illegal. Report first, then make payment decisions with legal counsel.

Downplaying the Scope

I've seen organizations tell regulators that "only 500 records were affected" when the real number was 50,000. Forensic investigators eventually find the truth. The cover-up always costs more than the breach.

Waiting for Certainty

You don't need a complete forensic report to file an initial report. Law enforcement and regulators understand that investigations take time. They want early notification, not perfection.

Building a Culture That Reports Incidents Fast

The organizations that handle cyber incidents best aren't the ones with the fanciest tools. They're the ones where a junior employee feels comfortable saying, "I clicked something I shouldn't have," without fear of punishment.

That culture starts with training. Specifically, it starts with phishing awareness training that teaches employees to recognize and report social engineering attacks before they escalate. Phishing simulation programs that reward reporting — rather than punish clicking — dramatically reduce dwell time.

Security awareness isn't a checkbox exercise. It's the single most cost-effective control you can deploy. The 2024 Verizon DBIR data backs this up: the human element remains the dominant attack vector, which means human training remains the dominant defense.

What Happens After You Report

Filing a report isn't the end. Here's what to expect:

  • FBI/IC3: You may be contacted by a field agent, especially if your case matches a known campaign. Cooperation can lead to asset recovery and prosecution.
  • CISA: May provide technical assistance, including malware analysis and network scanning. Their help is practical and hands-on.
  • Regulators: Will review your notification for compliance with applicable laws. May open an investigation if they believe the breach was caused by negligent security practices.
  • Insurance: Your cyber insurance carrier needs to be notified per your policy terms — often within 24-72 hours. Late notification can void coverage.

Don't Wait for a Breach to Build Your Reporting Playbook

The worst time to figure out how to report a cyber incident is during a cyber incident. Build your reporting playbook now. Identify your state notification requirements. Save the FBI IC3 and CISA reporting URLs. Know your cyber insurance carrier's claims phone number. Have legal counsel on retainer who specializes in data breach response.

And most importantly, train your people. Every employee in your organization should know exactly what to do when they spot something suspicious. Whether it's a phishing email, an unusual login alert, or a ransomware note on their screen — the first 60 minutes define the outcome.

The organizations that survive breaches aren't the ones that never get attacked. They're the ones that report fast, respond decisively, and learn from every incident. That starts with preparation, and preparation starts today.