Complete Guide to Cybersecurity Incident Reporting: Process, Deadlines, and FAQ

A cybersecurity incident has occurred — what should you do?

Beyond technical remediation, there's one more crucial step: reporting.

Taiwan's Cyber Security Management Act mandates that certain organizations must report cybersecurity incidents. Failure to report or late reporting may result in penalties.

This article explains the complete cybersecurity incident reporting process.

After reading, you'll know: when to report, how quickly, how to report, and to whom.

What Is a Cybersecurity Incident?

First, let's define clearly: what constitutes a "cybersecurity incident"?

Definition of a Cybersecurity Incident

According to the Enforcement Rules of the Cyber Security Management Act, a cybersecurity incident is:

A situation where the state of a system, service, or network, upon identification, indicates a possible violation of cybersecurity policies or failure of protective measures, or a previously unknown situation that may be security-related.

In plain language, this means:

• A system has been or attempted to be breached
• Data has been stolen, leaked, or tampered with
• Services have been disrupted or are behaving abnormally
• Any other event that affects information security

Common Types of Cybersecurity Incidents

Type	Examples
Malware	Ransomware, viruses, trojans
Intrusion attacks	System compromise, backdoor implantation
Data breach	Personal data leaks, confidential data theft
Service disruption	DDoS attacks, system crashes
Account abuse	Account hijacking, privilege abuse
Website defacement	Webpage replacement, malicious code injection
Phishing	Successful phishing email attacks

Situations That May Not Require Reporting

The following situations don't necessarily trigger a reporting obligation:

• Attacks blocked by firewalls or antivirus software
• Receiving phishing emails without clicking them
• Vulnerability scans revealing flaws (not yet exploited)
• Brief outages caused by system maintenance

However, if you're unsure, it's better to report. It's better to over-report than to miss one.

Cybersecurity Incident Reporting Obligations

Who needs to report? Under what circumstances?

Reporting Obligors

Under the Cyber Security Management Act, the following are required to report:

Government Agencies

All government agencies must report cybersecurity incidents.

Specific Non-Government Agencies

Designated specific non-government agencies have reporting obligations, including:

• Critical infrastructure providers
• State-owned enterprises
• Government-funded foundations

Reporting Recipients

Government Agencies

Report to:

1. Superior agency
2. Administration for Cyber Security, Ministry of Digital Affairs

Specific Non-Government Agencies

Report to the central competent authority.

For example:

• Financial industry → Financial Supervisory Commission
• Telecommunications → National Communications Commission (NCC)
• Energy industry → Ministry of Economic Affairs

When Is Reporting Required?

Simply put: report when you discover a cybersecurity incident.

But there's a prerequisite: the incident must reach a certain level of impact.

Must report:

• System intrusion
• Data breach
• Service disruption exceeding a certain duration
• Impact on other agencies or the public

Situational:

• Minor incidents (e.g., single computer infection already cleaned)
• Failed attacks (successfully blocked)

In practice, it's recommended to follow the "better safe than sorry" principle. When in doubt, report and let the competent authority decide.

Cybersecurity Incident Reporting Deadlines

Reporting has deadlines. Missing them may result in penalties.

Incident Levels and Deadlines

Cybersecurity incidents are classified into four levels, each with different reporting deadlines:

Level	Definition	Preliminary Report	Detailed Report
Level 4	Affects other agencies or the public	Within 1 hour	Within 8 hours
Level 3	Core operations unable to function	Within 8 hours	Within 24 hours
Level 2	Core operations affected but functional	Within 24 hours	Within 72 hours
Level 1	Non-core operations affected	Within 72 hours	Within 7 days

How to Determine the Level?

Level 4 (Most Severe)

Characteristics:

• Impact extends beyond the organization
• May cause harm to public rights and interests
• Attracts public attention

Examples:

• Large-scale personal data breach
• Critical service paralysis
• Attacks involving national security

Level 3

Characteristics:

• Core systems unable to operate
• Business operations halted

Examples:

• Main systems hit by ransomware
• Critical database corruption
• Prolonged service disruption

Level 2

Characteristics:

• Core systems affected but still usable
• Performance degraded but not halted

Examples:

• Partial system intrusion
• Possible confidential data leak
• Intermittent service disruption

Level 1

Characteristics:

• Non-core systems affected
• Limited impact scope

Examples:

• Single computer infected
• Test environment breached
• Minor data anomalies

When Does the Deadline Start?

When does the clock start ticking?

Time of Awareness

The deadline starts from the moment you "become aware of the incident."

Awareness = any person in the organization discovers and confirms it as a cybersecurity incident.

For example:

• IT staff receives an alert
• An employee reports an anomaly
• External notification received

Not the Time of Occurrence

The incident may have occurred two weeks ago, but you only discovered it today. The deadline starts from today.

Consequences of Late Reporting

Administrative Penalties

Failure to report within the prescribed deadline: NT$300,000 to NT$5,000,000.

Penalties may be imposed per violation (each delay counts).

Other Impacts

• Increased scrutiny from competent authorities
• Enhanced auditing
• Reputational damage

Cybersecurity Reporting Platform Operations

How do you actually report?

Reporting Channels

Government Agencies

Use the "Government Cybersecurity Incident Reporting Platform" (G-ISAC).

URL: https://gisac.nat.gov.tw

Specific Non-Government Agencies

Use the "National Cybersecurity Information Sharing and Analysis Center" (N-ISAC).

URL: https://www.nisac.nat.gov.tw

Or report through channels designated by the central competent authority.

Reporting Process

Step 1: Log In

Log into the reporting platform with your agency account.

(If you don't have an account, you'll need to apply through the competent authority first.)

Step 2: Create a Report

Fill in the reporting form, including:

• Time of incident occurrence
• Time of discovery
• Incident type
• Scope of impact
• Preliminary description

Step 3: Submit Preliminary Report

Complete the initial report. The system will assign a case number.

Step 4: Submit Detailed Report

Provide additional details within the required timeframe:

• Affected systems
• Damage assessment
• Handling status
• Technical details

Step 5: Closure Report

After the incident is resolved, submit a closure report:

• Root cause
• Remediation actions
• Improvement measures
• Lessons learned

Key Points for Reporting Content

A good report should include:

Basic Information

• Contact person and contact details
• Incident timeline
• Preliminary level assessment

Technical Information

• Affected systems/services
• Attack methods (if known)
• Suspicious IPs, malware characteristics

Impact Assessment

• Whether data was leaked
• Whether services were disrupted
• Number of affected people/scope

Handling Status

• Measures already taken
• Current situation
• Support needed

Cybersecurity Incident Response Process

Reporting is just one part. The complete incident response process is as follows:

Phase 1: Detection and Identification

Discovering Anomalies

Possible discovery sources:

• Monitoring system alerts
• Employee reports
• External notifications
• Abnormal logs

Confirming the Incident

Initial assessment:

• Is this a real attack or a false positive?
• How large is the impact scope?
• What is the incident level?

Phase 2: Containment

Preventing Spread

Immediate actions:

• Isolate infected systems
• Block malicious IPs
• Disable compromised accounts
• Protect critical data

Preserving Evidence

Don't rush to clean up:

• Preserve system logs
• Save malware samples
• Document the handling process
• Take screenshots

Phase 3: Reporting

Preliminary Report

Complete the initial report within the deadline:

• Basic incident description
• Preliminary impact assessment
• Handling status

Detailed Report

Supplement with detailed information:

• Technical details
• Damage assessment
• Handling progress

Phase 4: Investigation and Eradication

Investigating the Cause

Find out:

• How did the attacker get in?
• What vulnerability was exploited?
• What did they do?
• Were any backdoors left behind?

Eradicating the Threat

• Remove malware
• Patch vulnerabilities
• Close backdoors
• Reset account passwords

Phase 5: Recovery

System Recovery

• Restore from backups
• Rebuild compromised systems
• Verify systems are functioning normally

Service Restoration

• Gradually restore services
• Monitor for anomalies
• Confirm stable operation

Phase 6: Review and Improvement

Post-Incident Review

• Reconstruct the incident timeline
• Analyze response effectiveness
• Identify areas for improvement

Improvement Measures

• Strengthen defenses
• Update policies
• Enhance training
• Update plans

Don't know how to handle a cybersecurity incident? Incident response requires professional experience. Contact us urgently — we provide incident response support.

FAQ

I'm not sure if it's a cybersecurity incident. Should I report it?

Yes, it's recommended.

You can first report it as a "suspected cybersecurity incident" and confirm through subsequent investigation.

The risk of missing a report is greater than the risk of a false report.

The incident has already been resolved. Do I still need to report?

Yes.

Your reporting obligation doesn't disappear just because you've resolved the issue.

Moreover, one purpose of reporting is to help the competent authority maintain situational awareness. Even if you've resolved it, the intelligence is still valuable.

Will reporting result in penalties?

Reporting itself won't result in penalties.

The Cyber Security Management Act penalizes:

• Failure to report as required
• Failure to report within the required deadline
• False reporting content

Proactive reporting is the correct behavior and won't result in penalties.

Can I report anonymously?

Formal reports cannot be anonymous. You need to provide agency and contact information.

However, if you've discovered someone else's security issue, you can submit it anonymously through vulnerability disclosure channels.

Will reporting data be made public?

No, it won't be made public.

Reporting data is confidential, accessible only to the competent authority and relevant agencies.

However, major incidents may be reported by the media (not leaked from the reporting system).

Do small companies need to report?

It depends on whether you've been designated as a "specific non-government agency."

If you haven't been designated, there's no legal mandatory reporting obligation.

However, if personal data is involved in a breach, you may need to report under the Personal Data Protection Act.

What if an incident occurs on a holiday?

Deadlines still apply.

Holidays are not a valid reason to extend reporting deadlines.

It's recommended to plan holiday duty schedules and reporting procedures in advance.

Can I have a vendor help with reporting?

The reporting obligation lies with you and cannot be fully delegated.

However, vendors can assist with:

• Filling in reporting content
• Providing technical information
• Assisting with incident handling

The final submission of the report must be done by you.

For more information on cybersecurity regulations, see Complete Guide to the Cyber Security Management Act.

Next Steps

Cybersecurity incident reporting is both an obligation and a way to protect yourself.

Recommended Actions

Pre-Incident Preparation

1. Confirm your reporting obligations and recipients
2. Apply for a reporting platform account
3. Establish internal reporting procedures
4. Designate responsible persons and deputies
5. Conduct reporting drills

When an Incident Occurs

1. Calmly assess the incident level
2. Complete the preliminary report within the deadline
3. Simultaneously proceed with technical remediation
4. Continuously update reporting content
5. Complete the closure report

Related Resources

Further reading:

• Complete Information Security Guide: Cybersecurity fundamentals
• Complete Guide to the Cyber Security Management Act: Detailed regulatory explanation
• Cybersecurity Health Check Guide: Prevention is better than cure

---

Need cybersecurity incident response support?

Every second counts during an incident. Professional support helps you control damage faster.

CloudInsight provides:

• Incident response consulting
• Technical investigation support
• Reporting assistance
• Recovery recommendations

Contact us urgently — we'll help you handle cybersecurity incidents.