Create Your Cybersecurity Incident Report

A cybersecurity incident report is a formal document that records the details of a digital security event — including what happened, which systems were affected, the attack vector, whether data was compromised, containment actions taken, root cause analysis, and corrective measures planned. It serves as an official record for internal security programs, cyber insurance claims, regulatory compliance (breach notification under all 50 state laws), and legal proceedings. The report structure aligns with NIST SP 800-61 (Computer Security Incident Handling Guide) documentation standards. For publicly traded companies, the SEC now requires disclosure of material cybersecurity incidents under 17 CFR § 229.106, making structured incident documentation essential for timely and accurate filing.

Notification requirements depend on your state's breach notification law and the type of data compromised. California requires notification "in the most expedient time possible" (Cal. Civ. Code § 1798.82). Texas requires notification within 60 days (Tex. Bus. & Com. Code § 521.053). Florida requires notification within 30 days for individuals and 10 days for the state attorney general (Fla. Stat. § 501.171). Colorado requires 30 days (C.R.S. § 6-1-716). Many states also require notification to the state attorney general, especially when the breach exceeds a certain number of records. Federal regulations impose additional requirements: HIPAA requires covered entities to notify affected individuals within 60 days of discovery (45 CFR § 164.404), HHS for breaches affecting 500+ individuals, and the Gramm-Leach-Bliley Act (GLBA) mandates notification for financial institutions. Consult legal counsel for your specific obligations.

The report supports 12 attack vectors: phishing, malware, ransomware, unauthorized access, DDoS (distributed denial of service), insider threat, SQL injection, social engineering, zero-day exploit, supply chain attack, credential stuffing, and a general "other" category. This classification taxonomy aligns with the NIST SP 800-61 incident categorization framework and the categories recognized under the Computer Fraud and Abuse Act (18 U.S.C. § 1030), which defines offenses including intentional unauthorized access, exceeding authorized access, and knowingly causing damage to protected computers. Select the vector that best describes how the attacker gained access or caused damage.

Toggle "Data Compromised" to ON if any personal, financial, medical, or sensitive data was accessed or exposed. Under HIPAA, a breach is specifically defined as the acquisition, access, use, or disclosure of unsecured protected health information in a manner not permitted by the Privacy Rule, which compromises the security or privacy of the information (45 CFR § 164.402). State laws define "personal information" differently — most include name plus SSN, driver's license number, or financial account numbers, while newer statutes like New York's SHIELD Act add biometric data and email credentials. When toggled ON, you will be asked to estimate the number of records affected. This information determines notification obligations and is critical for insurance claims. The PDF will include a dedicated Data Breach Assessment section with these details.

The contributing factors checklist includes cyber-specific items: weak/compromised credentials, unpatched software, phishing/social engineering, misconfigured systems, lack of multi-factor authentication, insider threat, third-party/vendor vulnerability, insufficient access controls, missing security monitoring, inadequate security training, and shadow IT/unauthorized software. According to the Verizon Data Breach Investigations Report (DBIR), stolen or compromised credentials are involved in nearly 50% of all breaches, while phishing accounts for over 30% of initial access vectors. These factors map to the NIST Cybersecurity Framework (CSF) core function categories — Identify, Protect, Detect, Respond, and Recover — ensuring your root cause analysis addresses gaps across the full security lifecycle. Select all that apply — most incidents involve multiple contributing factors.