In 2023, the FBI's Internet Crime Complaint Center received over 880,000 complaints with potential losses exceeding $12.5 billion — a 22% increase in losses from the year before. Yet the FBI estimates a massive number of cyber incidents still go unreported. That gap between what happens and what gets reported is where damage compounds. If you don't know how to report a cyber incident, you're not just risking your own organization — you're letting the threat actor move on to the next victim unchallenged.

This guide walks you through exactly what to do, who to contact, and what order to do it in. Whether you're dealing with credential theft, ransomware, a business email compromise, or a data breach, the steps below apply.

Why Most Organizations Report Cyber Incidents Too Late

I've seen it dozens of times: a company discovers suspicious activity on a Tuesday, spends Wednesday and Thursday "investigating internally," and doesn't contact law enforcement until the following week. By then, the threat actor has exfiltrated data, covered tracks, and possibly sold credentials on the dark web.

The hesitation usually comes from fear — fear of reputational damage, regulatory penalties, or admitting a failure. But delayed reporting almost always makes things worse. The 2024 Verizon Data Breach Investigations Report found that the median time for a user to fall for a phishing email was less than 60 seconds. Attackers move fast. Your reporting has to keep pace.

Under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), critical infrastructure entities will be required to report substantial cyber incidents to CISA within 72 hours. Even if your organization doesn't fall under that mandate yet, treating 72 hours as your ceiling is smart practice.

Step 1: Contain the Incident Before You Pick Up the Phone

Before you report anything externally, you need to stop the bleeding. This doesn't mean a full forensic investigation — it means taking immediate containment steps.

  • Isolate affected systems. Disconnect compromised machines from the network. Don't power them off — you may destroy volatile memory evidence.
  • Disable compromised accounts. If credential theft is involved, force password resets and revoke active sessions immediately.
  • Preserve logs. Firewall logs, email server logs, authentication logs — lock them down before they rotate out.
  • Activate your incident response plan. If you don't have one, that's a problem we'll address below.

Containment gives you something concrete to report. Agencies don't need you to have all the answers — they need to know what happened, what you've done so far, and what systems are affected.

Step 2: Report to the FBI's Internet Crime Complaint Center (IC3)

For most organizations in the United States, your first external report should go to the FBI IC3. This is the federal government's central hub for receiving and triaging internet crime complaints.

What to Include in Your IC3 Report

  • Date and time of the incident
  • How the attack occurred (phishing email, exploited vulnerability, social engineering, etc.)
  • Type of incident: ransomware, business email compromise, data breach, credential theft
  • Financial losses, if any
  • IP addresses, email addresses, bitcoin wallet addresses, or other indicators of compromise
  • Steps you've already taken to contain the incident

Filing with IC3 isn't just paperwork. In business email compromise cases, the FBI's Recovery Asset Team has a 74% success rate in freezing fraudulent transfers when reports come in quickly. Speed matters.

Step 3: Notify CISA for Operational Support

The Cybersecurity and Infrastructure Security Agency (CISA) isn't law enforcement — they're operational support. If you're dealing with an active, sophisticated intrusion, reporting to CISA can get you technical assistance, indicator sharing, and coordination with other agencies.

CISA is especially relevant if your organization is in critical infrastructure — healthcare, energy, financial services, water, transportation. But any organization can report. CISA uses your report to warn other potential targets, which is why reporting matters beyond your own walls.

When CISA Involvement Is Critical

  • You've been hit by ransomware and the variant appears to be part of a larger campaign
  • You suspect a nation-state or advanced persistent threat actor
  • The incident affects operational technology (OT) or industrial control systems
  • You need technical forensic support you can't handle in-house

Step 4: Meet Your Regulatory Reporting Obligations

Depending on your industry, you likely have mandatory reporting requirements with specific deadlines. Missing them can cost you more than the breach itself.

  • HIPAA (Healthcare): Breaches affecting 500+ individuals must be reported to HHS within 60 days.
  • SEC (Public Companies): Material cybersecurity incidents must be disclosed on Form 8-K within four business days of determining materiality.
  • State Breach Notification Laws: All 50 states have breach notification laws with varying timelines. Most require notifying affected individuals within 30-60 days.
  • GDPR (EU Data Subjects): 72-hour notification requirement to the relevant supervisory authority.

Your legal counsel should be looped in during Step 1. They'll help you determine which regulations apply and keep you from accidentally waiving privilege during the investigation.

What Counts as a Cyber Incident? A Quick Reference

A common question I get: "Does this even count as something I need to report?" Here's a straightforward answer.

A cyber incident is any event that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the data it holds. That includes:

  • A successful phishing attack where an employee entered credentials on a spoofed page
  • Ransomware encrypting files on any system
  • Unauthorized access to customer data, even if you're not sure data was exfiltrated
  • A business email compromise attempt, whether or not money moved
  • Discovery of malware or a backdoor on your network

When in doubt, report. No agency will penalize you for over-reporting. Under-reporting is where the liability lives.

Step 5: Document Everything for Post-Incident Review

Your incident report isn't just for the FBI or CISA. It's for you. Every cyber incident should feed back into your security program.

Document the timeline, the attack vector, the response actions, and the gaps that let it happen. I've worked with organizations that treated incident documentation as an afterthought and then couldn't answer basic questions from their cyber insurance carrier. That's how claims get denied.

A thorough post-incident review should answer three questions: How did they get in? Why didn't we catch it sooner? What changes prevent a repeat?

The Best Incident Report Is the One You Never Have to File

Knowing how to report a cyber incident is essential. But the organizations that rarely need to file these reports have something in common: they invest in security awareness before the breach, not after.

Most incidents I've investigated started with a human mistake — a clicked phishing link, a reused password, a misconfigured MFA setting. Technical controls matter, but they fail when people aren't trained to recognize social engineering and threat actor tactics.

If your organization doesn't have a structured training program, start with cybersecurity awareness training at computersecurity.us. It covers the fundamentals your employees need — from credential theft prevention to understanding zero trust principles.

For organizations that want to go further, phishing awareness training at phishing.computersecurity.us provides realistic phishing simulation exercises that test and reinforce what your team has learned. Simulated attacks build muscle memory in a way that slide decks never will.

Your Incident Reporting Checklist

Bookmark this. Share it with your IT team and your leadership. When the pressure is on, you need a checklist, not a textbook.

  • Contain — Isolate systems, disable compromised accounts, preserve evidence
  • Report to FBI IC3 — File at ic3.gov with all available indicators of compromise
  • Report to CISA — Especially for critical infrastructure, ransomware, or sophisticated intrusions
  • Engage legal counsel — Determine regulatory obligations, protect privilege
  • Notify regulators — Meet HIPAA, SEC, state, or GDPR deadlines as applicable
  • Notify affected individuals — As required by law, with clear and actionable language
  • Document thoroughly — Feed findings into your security program and insurance records
  • Train and improve — Use the incident to justify and refine security awareness training

Every cyber incident is a test of your preparation. The organizations that come through it well aren't the ones with the biggest budgets — they're the ones that practiced reporting, practiced response, and treated every employee as part of the security team. Know the steps. Run the drills. And when the real thing happens, you'll report it right.