7 Types of Cybersecurity Business Attacks that Must Be Reported to the Federal Government – CISA, SEC, FBI – Free Cyber Incident Report Form and Professional Cyber Readiness Response Service

– Every organization must have a IR Reporting System in place as attacks are imminent now.

CyberSecurityCSI was created to help small businesses comply with US Federal Cybersecurity Incident Reports Laws.

We can guide, apply on behalf of and assist in the Cybersecurity Incident Reporting details at the bottom of this page.


If you want to do it all alone, click on the CISA logo.

The above reporting applies to ALL companies and if you are publicly-held company there are additional SEC reporting requirements – click on image for the complete 186-report. And while there are major disagreements on what type of “incident” needs to be reported to the SEC, it is likely that the company should report ALL incidents.

The ruling is intended to increase visibility into the governance of cybersecurity and put greater pressure on boards and C-suites, according to the SEC. Providing disclosure in a more “consistent, comparable and decision-useful way” will benefit investors, companies and the markets connecting them, the agency says. 

CyberSecurityCSI goals are to help businesses:

  • Avoid litigation
  • If public review for SEC compliance
  • Potentially lower cyberinsurance costs and ease resolution of claims
  • IMPORTANT – cyber insurance will only protect you if you HAVE reported incidents and your IT systems are regulatory compliant
  • Mitigate reputation impact
  • Reduce business and customer losses
  • Gain historical documentation and knowledge for reporting and transparency
  • Determine cybersecurity weakness and get remedies
  • Add reporting, metrics and other management reports
  • Get needed additional training and
  • Get expert level cybersecurity and other professional services, to name a few of the benefits.

We are not legal advisors, however can be a good resource team with industry certifications and decades of experience in cybersecurity, internet security and other skills.

Click on image for 2-minute video.

7 Types of and 10 Elements in a Cybersecurity Incident Report Required within 72 Hours via CISA.gov

It is time for customers and advisors to be ready to know what incidents to report and content in a Cyber Incident Report.

Seven types of cybersecurity attacks to report.

1 – Unauthorized access to your system.

2 – Denial of Service (DOS) attacks that last more than 12 hours.

3 – Malicious code on your systems, including variants if known.

4 – Targeted and repeated scans against services on your systems.

5 – Repeated attempts to gain unauthorized access to your system.

6 – Email or mobile messages associated with phishing attempts or successes.

7 – Ransomware against Critical Infrastructure, include variant and ransom details if known.

Here are 10 Key elements to share in the incident report.

1 – Incident date and time.

2 – Incident location.

3 – Type of observed activity.

4 – Detailed narrative of the event.

5 – Number of people or systems affected.

6 – Company/Organization name.

7 – Point of Contact details.

8 – Severity of the event.

9 – Critical Infrastructure Sector if known.

10 – Anyone else you informed.


Click here PDF of a Free Cyber Incident Report Form and customize without obligation.


Once submitted, CISA will triage and analyze the report.

If appropriate, they will share anonymized information about this activity with others,

to help them manage their risk.

If CISA needs additional information, they will contact submitter for additional details.

CISA encourages all organizations to share information about unusual cyber activity,

 and/or cyber incidents 24/7 via report@cisa.gov or (888) 282-0870.

Explore this and more at CISA.gov – In speaking with CISA there are no fines or penalties for non-reporting but willingness to help with law enforcement agencies but advise seeking advise from security professionals.

To help you we created CyberSecurityCSI and here’s a Top-10 Security Planning Guide:

– You are risking your job, fines for the company, civil litigation and more, if you don’t do these recommendations. Click on image for 2-minute video.

1 – Start now – have an outside professional review your team and approve or suggest improvement.

And, then have another third-party audit their report.

2 – Socialize now – unless everyone really knows they could be fired, or termination for even unwittingly being part of a breach, face civil litigation or even jail time, then they may not realize the reality of the very serious issues at stake.

3 – Start small – indeed understand that the weakest link of just one employee, can bring down your house of cards.

4 – Build Scalable solution – the weakest link needs to be the point where you can scale, as there will be other likely weak links that will emerge.

5 – Build a Survivable Model – whatever model you choose make, sure it is really hardened against the worst possible scenario, and again test to see if it is really strong.

6 – Security Built In – security must be like “white blood” cells in our body attacking everything,

 and protecting and giving up their host even when confronted with cancer.

7 – Validation – nothing works until it faces battle. 

That is until the concept you built faces the worst possible enemy can you know or hope to know if it will work. 

8 – Circling back – realize now and everyday that hackers are also more motivated than you will ever be,

as you are focused on defense and they are focused on offense. 

They can also attack many more vulnerable areas that you know how to protect, which means there is not one kind of weak link but many.

9 – No Real Pros – services or consultants who know one or a few but in fairness, probably don’t have all the tools in their toolboxes to really help you.

10 – Future directions – it’s great to have policies but if there is no police force to enforce them

 and evaluate that enforcement there is no true security or privacy for all, if at all.

10 Highlights of FBI Guidance to Victims of Cyber Incidents on SEC Reporting via FBI.gov

1 – Publicly traded companies are required to determine whether each cybersecurity incident,

 their experience is a “material cybersecurity incident.”

This term is defined as a cybersecurity incident in which “there is substantial likelihood that a reasonable shareholder,

 would consider it important” when making an investment decision.

2 – The company has four business days to publicly disclose the incident,

 by filing a Securities and Exchange Commission Form 8-K.

3 – The Department of Justice can determine if a delay in publicly filing the 8-K form,

 is merited for reasons of national security or public safety.

The rule permits the Justice Department to grant a delay of public filing for 30 business days.

In “extraordinary circumstances,” the DOJ can delay for an additional 60 business days.

4 – The FBI is responsible for intaking delay requests on behalf of the DOJ and documenting those requests.

5 – Coordinating checks of U.S. government national security and public safety equities.

6 – Failure to report the cyber incident immediately upon determination of materiality,

 will cause a delay-referral request to be denied. 

7 – The FBI also encourages victims to engage with the FBI prior to making a materiality determination.

8 – After the FBI makes a referral based on equities checks and fact-finding procedures,

 the DOJ will issue a delay determination and be communicated in writing to the victim and the SEC.

9 – If the DOJ approves the delay request, the FBI should invite the victim to submit any requests for delay extensions to the FBI.

10 – Please note this summary is written for general reference, contact the FBI.gov for more.

Email me for more cross@gocross.com


Professional Services Cyber Readiness Response Service

Should you want CyberSecurityCSI Cyber Readiness Response Professional Services email cross@gocross.com or call 303-594-1694 with professional services starting at $199 per 30-minute increments to get you a “second opinion” on your current cyber security services and professionals who advise or audit your company or organization.

Get a VIP Incident Response Professional Program now for one-hour guaranteed response for $499 with two (2) hours (save $300) of assistance or $999 (save $1,000) with five (5) hours of assistance and along with other thought leadership programs. A professional services collaboration program is available with other providers of IR applications and MSP/MSSP companies.

If you want to proceed email cross@gocross.com with your Linkedin profile as one step to verify who you are. Please make sure YOUR Linkedin Contact information is current as we will call/contact you via that information along with a special code which will be included in the invoice.

Thomas Cross will email you back and you can review his Linkedin profile to determine if you want to proceed. He has a a CompTIA Security+ certification, taught more than a hundred cybersecurity classes to hundreds of students, developed indepth security classes and advised numerous companies on their cybersecurity strategy but again this is not legal advice but professional advice.

Limited capacity and subject to chain without notice.

By reading this, you are acknowledging our Terms of Use and Privacy Policy as information provided “as is” without warranty, refund or recourse.