The US federal response to cybercrime is split across multiple agencies, each with a different mandate. Calling the wrong one wastes time you do not have. This is the short directory I keep printed on the inside of our incident binder.

None of this is legal advice. Work with counsel before filing formal reports. But know the landscape so you can move fast when the call needs to be made.

FBI — Internet Crime Complaint Center (IC3)

  • Web: ic3.gov
  • Field office locator: fbi.gov/contact-us/field-offices
  • 24/7 CyWatch: 1-855-292-3937, email cywatch@fbi.gov

Use IC3 for: almost any cybercrime report, but especially ransomware, business email compromise, and wire fraud. For business email compromise where money has moved in the last 72 hours, also call your local FBI field office directly — that triggers the Financial Fraud Kill Chain (FFKC) which can sometimes claw back wires.

IC3 does not investigate every report individually. It aggregates, looks for patterns, and feeds information to field offices. But filing creates a record that matters for insurance claims and for later prosecution.

CISA — Cybersecurity and Infrastructure Security Agency

  • Web: cisa.gov/report
  • 24/7 operations center: 1-888-282-0870
  • Email: report@cisa.gov

Use CISA for: incidents affecting critical infrastructure, federal systems, or incidents you want shared anonymously with the community. CISA does not do law-enforcement-style investigations. They help with technical response, threat intelligence sharing, and coordination across sectors.

For critical infrastructure operators: CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act) mandatory reporting rules finalized in 2024 and are being phased in. Know whether you fall under the rule — if so, 72 hours for covered cyber incidents and 24 hours for ransom payments.

US Secret Service

  • Web: secretservice.gov/contact/field-offices
  • Cyber Fraud Task Forces (CFTF): field offices in most major US cities

Use USSS for: financial cybercrime, payment card fraud, cryptocurrency theft, counterfeiting of instruments. They share jurisdiction with the FBI on some financial cybercrime — in practice, they often work well together via joint task forces, and either will refer if necessary. If your breach is clearly financial, USSS is often the faster partner.

State Attorneys General

  • NAAG directory: naag.org/find-my-ag

Nearly every state now has a data breach notification law. Most require notifying the state AG within a defined window (often 30-60 days of discovery, some sooner) when resident personal information is affected. Some (California, New York, Massachusetts, Texas) have aggressive enforcement posture.

Your counsel handles this, but know the landscape: a breach touching residents of 30 states means 30 potential notifications, each with slightly different requirements. Dedicated breach-notification services (e.g., IDX, Kroll, Epiq) handle this workflow; engage them early.

SEC — Securities and Exchange Commission

  • Material cyber incident disclosure: Item 1.05 of Form 8-K
  • Timeline: four business days from determination that the incident is material

Applies to publicly traded companies and certain foreign private issuers. Two separate determinations: (1) has an incident occurred, and (2) is it material. The four-day clock starts at the materiality determination, not at initial detection — which gives counsel and the board runway to do the analysis properly. Do not rush to file; do not delay unreasonably once materiality is determined.

Other Relevant Bodies

  • HHS OCR (HIPAA breach notification): ocrportal.hhs.gov/ocr/breach — 60 days for breaches of 500+ individuals.
  • FTC: ftc.gov/business-guidance/privacy-security/data-security — enforces Safeguards Rule and related statutes; primary for identity-theft-consumer issues (identitytheft.gov).
  • OFAC (ransom payments, sanctions screening): home.treasury.gov/policy-issues/financial-sanctions — licensing and compliance before any ransom payment.
  • ISACs (sector-specific information sharing): FS-ISAC (financial), H-ISAC (health), E-ISAC (electricity), MS-ISAC (state/local government), Auto-ISAC, Aviation ISAC, etc.

A Practical Sequence

What the first round of calls typically looks like, once counsel is engaged:

  1. Cyber insurance carrier — because the policy may require it and will steer you to an approved IR firm.
  2. FBI field office (or CyWatch if it is nights/weekends).
  3. For BEC with active wire fraud: IC3 filing within 72 hours.
  4. For regulated industry: your sector ISAC and relevant regulator.
  5. State AGs, SEC, and public notifications — later, when facts are firm.

Keep this list updated annually. Phone numbers and forms change. The overall architecture does not, and knowing who does what saves hours in the first day of an incident.