It may seem counter intuitive to many companies to involve the authorities after a cyber incident. Some fear that doing so would be an invitation to look under the hood and could potentially expose liabilities related to the breach or beyond.
However, the FBI has explicitly stated that companies that suffer data breaches should be treated as victims. The agency does not come in with raid jackets and shut down operations, nor are they looking to gather information in order to share it with other regulatory agencies.
“We don’t view it as our responsibility when companies share information with us to turn around and share that information” – FBI Director Christopher Wray
That said, key benefits exist to engaging authorities like the FBI when the cyber incident calls for it, and companies are starting to understand this. Let’s look in more detail at when and why you’d call the FBI.
When to Report a Cyber Incident to the FBI
The FBI offers guidance on when to actually get the authorities involved, which includes reporting to the agency in a timely way if a cyber incident:
- Involves significant loss in data, system availability, or control of systems
- Impacts a large number of victims
- Indicates unauthorized access to or malicious software on critical information technology systems
- Affects critical infrastructure or core government functions
- Impacts national security, economic security, or public health and safety
One special agent advised companies to report an incident within the first 72 hours, especially if financial transactions are involved. That’s because authorities have a better chance of recouping the funds within the first 72 hours. In our experience, for other events like data breaches or ransomware, specific timeframes are not often a huge factor.
Additional FBI guidance (linked above) is useful when it comes to what to report and how to report it, including key federal points of contact. But it is also helpful to develop a relationship with your local FBI field office in advance of an incident and to know the procedures for engaging with them.
While cyber incident reporting is currently optional, the FBI has at times encouraged all incidents to be reported in case one may be connected to many others. It’s worth mentioning that the Department of Justice recently called for mandatory reporting of cyber incidents to law enforcement in the future. Companies will want to keep an eye on this for upcoming developments.
Benefits of Involving the FBI During Cyber Incident Response
After a cyber incident is discovered, the FBI can offer more resources to the victim than they otherwise would have had. Tapping into those resources can help you stop the damage, mitigate reputational losses, and more. Not to mention that when companies cooperate, it can help authorities to better do their job in the collective fight against cyber crime.
“Getting the FBI involved early allows us—and our federal partners—to mitigate any ongoing damage to your networks and your data. It helps us connect the intrusion on your systems to any larger threat streams, and give you the information you need to understand what happened. It helps mitigate any risk to your reputation from a delayed notification. And it helps us notify other potential victims.” –– Chris Wray, FBI Director, FBI, in an October 2018 speech
Get Access to More Powerful Resources
Authorities that specialize in cyber attacks may have non-public information that can help you during incident response. Through their operations, they may even be able to locate and take down the criminal.
For example, the FBI may be intimately familiar with a particular criminal group’s process so that you are more aware of what you’re dealing with as you go through the response. Or, the FBI might have access to decryption keys that have been successfully used in responding to previous attacks from your attacker.
Tesla is one company that knows the power of the FBI during a cyber incident. After an employee was targeted by a Russian cybercriminal and offered $1 million to infect the company’s systems with malware, that employee reported the incident to the FBI. They deployed a sting operation and were able to arrest the suspect.
Delay Disclosures About the Cyber Incident
Engaging the authorities during a cyber incident can invoke what’s called a law enforcement hold during investigations, which prevents a company from disclosing the breach publicly.
Even so, the Securities and Exchange Commission may not view this hold as valid for public companies in all scenarios.
In 2018, the SEC issued a statement about cybersecurity disclosures, saying that while it recognizes that it “may be necessary to cooperate with law enforcement and that ongoing investigation of a cybersecurity incident may affect the scope of disclosure regarding the incident, …an ongoing internal or external investigation—which often can be lengthy—would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.”
It’s worth mentioning that the law enforcement hold should not prevent the victim company from notifying their insurer. This disclosure hold is something that insurance companies are very familiar with, and the notice provisions of the policy still apply.
Lessen Reputational Loss After a Cyber Incident
Reputational harm is a real thing after a disclosed cyber event. Stock prices drop, consumers react, and it can take a long time for companies to regain trust.
When a company is ready to disclose, letting stakeholders know that it is working closely with authorities gives gravity to the company’s incident response. Having the right response during a cyber incident can have a net positive effect from a public perception standpoint.
In summary, as authorities are more and more willing to work with cyber victims by looking out for their best interests after an incident, companies are becoming much more comfortable engaging with them.
Does that mean that every time you report to the FBI, you’ll get access to all their resources? Probably not.
The FBI plays a specific role but is not a jack of all trades. There may be scenarios when they aren’t able to provide resources, but you can still benefit by delaying disclosures and lessening reputational impact. Remember, though: once you engage the FBI, you cannot put the genie back in the bottle.
Further, the FBI may be just one of many entities engaged to support your response to a cyber incident. Lawyers, IT forensics specialists, and others may be involved as well, and your cyber insurance policy may require either specific firms to be used or pre-approval of the vendors you select.