Reporting a security breach isn’t just a box-ticking exercise - it’s a critical part of managing an incident effectively and meeting your legal, contractual, and ethical obligations.

Whether you’re dealing with a confirmed breach or a suspected one, knowing who to notify, when to report, and how to communicate can make a real difference in the outcome.

At STORM Guidance, we help organisations respond to cyber incidents with structure, clarity, and full compliance - supporting both immediate reporting needs and long-term resilience.

Step 1: Identify and Confirm the Breach

Before reporting, it’s important to determine:

• Has unauthorised access to systems or data occurred?

• What kind of data or systems were affected?

• Is the breach ongoing or contained?

• Was personal, customer, or sensitive business data exposed?

If you're unsure, it's still worth escalating internally or engaging external experts to validate.

Step 2: Escalate Internally

Notify key stakeholders as early as possible:

• IT/security teams – to investigate and contain

• Legal and compliance – to guide regulatory and contractual obligations

• Executive leadership – to coordinate response and make key decisions

• Communications/PR – in case public or customer communication is needed

• HR or Operations – if employee data is involved

Step 3: Log and Document the Breach

Maintaining a clear audit trail is essential. Record:

• When and how the breach was detected

• Initial assessment of what was affected

• Actions taken so far

• Key decisions and who made them

This will support your regulatory reporting, legal obligations, and post-incident review.

Step 4: Report to External Authorities (If Required)

If the breach involves personal data, you may need to report it to a regulator. In the UK, this typically means:

Report to the ICO (Information Commissioner’s Office)

• Within 72 hours of becoming aware of the breach

• Even if you don’t yet have full details

• Through their online breach reporting tool

Other obligations may include:

• FCA (for regulated financial firms)

• NHS DSP Toolkit (for health and care providers)

• Industry-specific regulators depending on your sector or geography

Step 5: Notify Affected Individuals or Clients (If Necessary)

If there's a risk to individuals - for example, if customer data was accessed - you may need to notify those affected.

Your message should:

• Explain what happened, in simple terms

• Be transparent about what data was involved

• Provide support (e.g. a helpdesk, credit monitoring, or guidance)

• Be clear about what the recipient should do next

Not all breaches require customer notification, but clear communication can help preserve trust.

Step 6: Review Third-Party and Contractual Obligations

Some contracts (e.g. with suppliers, cloud providers, insurers, or partners) may require you to:

• Report incidents within a set time window

• Notify account managers or designated contacts

• Follow specific response procedures

Review vendor agreements and insurance policies as part of your incident response.

Need Help Managing a Breach? STORM Guidance Is Here to Support You

Whether you're navigating an incident right now or reviewing your processes proactively, we can help with:

✔ Internal and external breach reporting

✔ Legal and regulatory compliance

✔ Communications strategy and messaging

✔ Technical response and forensic investigation

✔ Post-incident review and process improvement

Clear Reporting Builds Confidence

Reporting a breach isn’t just about obligation - it’s about maintaining trust, taking control of the situation, and showing that your business responds with integrity and care. Ultimately, it's about minimising loss.

The right approach, delivered calmly and confidently, can make all the difference.

STORM Guidance is here to help you manage the breach reporting process from start to finish - with clarity, compliance, and full incident response support, including threat actor engagement if your incident involves ransomware or extortion.