Companies that discover a potentially significant cyber incident usually turn to their trusted outside law firm and a cybersecurity firm for assistance. But many companies decide not to reach out to the FBI, which can be a mistake in certain circumstances. Considering the practical assistance that the FBI can provide to targets of a cyber attack, and its recent statements expressing a commitment to support corporate victims of data breaches, companies and their outside advisors should give serious thought to reaching out to the FBI as part of their incident responses.

Reasons for Reluctancy

One reason that companies are reluctant to contact the FBI in the early stages of a cyber event is that they often know very little. In the first few days, details like how the attack was executed, what vulnerability was exploited, and which parts of the network were exposed, are illusive—or, as FBI Director Christopher Wray described it during Q&A at the 2018 Boston Conference on Cyber Security, they don’t have the incident “wrapped up in a nice, neat bundle with a bow on top.” Alison Noon, FBI Director Vows To Treat Hacked Companies as ‘Victims, Law360 (Mar. 7, 2018) (“Boston Q&A”). This hesitancy is understandable considering companies’ experiences working with government agencies in other contexts, where it is expected that companies will have answers to the government’s questions and will demonstrate an understanding of the relevant facts. But those rules generally don’t apply in a cyber attack, and recent statements by the FBI underscore that the earlier the Bureau is notified, the more efficiently and effectively it can provide companies with assistance.