Cyber Incident Reporting

Cyber incidents continue to be an increasing concern for state, local and academic institutions within North Carolina.

Every year, there has been a noted increase of attacks in the form of ransomware, data exfiltration and extortion and others, which have devastating impact to the state’s critical infrastructure. This trend is forecasted to continue and remain a pervasive occurrence in the upcoming years.

Reporting cyber incidents as they occur is a method to reduce the risk to citizen-facing services and sensitive data. In doing so, the state is able to provide subject matter experts, resources, and assistance in various forms ranging from consultation and guidance, to deployment of the N.C. Joint Cybersecurity Task Force to assist as needed. Incidents should be reported even if your agency is not requesting assistance.

N.C. Joint Cybersecurity Task Force

The N.C. Joint Cybersecurity Task Force is comprised of law enforcement, Emergency Management, N.C. National Guard Cyber Security Response Force, the Local Government IT Strike Team, state IT/cyber specialists and federal agencies.

This team provides incident coordination, resource support and technical assistance to state, local and tribal entities and certain Critical Infrastructure Key Resource partners to reduce the impact to the affected entity, mitigate vulnerabilities and offer on-scene response personnel to aid in incident recovery.

When supporting the affected entity, the various members of the NC Joint Cybersecurity Task Force work in tandem to leverage their collective response expertise, apply their knowledge of cyber threats, preserve key evidence and use their combined authorities and capabilities both to minimize asset vulnerability and bring malicious actors to justice. 

Cyber Incident Reporting

When to Report a Cyber Incident

A cyber incident is an event that could jeopardize the confidentiality, integrity or availability of critical infrastructure (i.e., first responder networks, water, energy, etc.) and information systems. Reporting should take place within 24 hours of confirmation.

Cyber incidents resulting in significant damage are of particular concern to the state. Pursuant to N.C.G.S. 143B-1379, all local government entities must report all cyber incidents that might:

  • Result in a significant loss of data, system availability or control of systems
  • Have an impact on a large number of victims
  • Indicate unauthorized access to, or malicious software present on, critical information technology systems
  • Affect critical infrastructure or core government functions
  • Impact national security, economic security, or public health and safety

Examples include but are not limited to:

  • Malware
  • Denial of service
  • Ransomware
  • Large-scale hardware (server) disruptions

Incident reporting by private sector organizations is not mandated; however, it is highly encouraged.

How to Report a Cyber Incident

The state has multiple means to report cyber incidents, as indicated in the following table.

State AgenciesLocal Governments, Academic Institutions & Private Sector Entities
Contact the NCDIT Customer Support Center at 800-722-3946.Use the Statewide Cybersecurity Incident Report form.
Use the Statewide Cybersecurity Incident Report form. 
Contact the Enterprise Security and Risk Management Office at DIT.ThreatManagement@nc.gov. 
State, Local, Public Academic Institutions or Critical Infrastructure Key Resource Partners Requesting NC JCTF Assistance per N.C.G.S 166A-19.78A

Request assistance from the N.C. Joint Cyber Security Task Force by contacting the N.C. Emergency Management 24-Hour Watch Center, at NCEOC@ncdps.gov or at 1-800-858-0368.

For general inquiries or support, contact the N.C. Joint Cyber Security Task Force at jctf@nc.gov

Please note, this reporting does not override any other mandated federal reporting requirements.

What to Report About a Cyber Incident

A cyber incident may be reported at various stages, even when complete information might not be available. Helpful information could include but is not limited to:

  • Who you are
  • Who experienced the incident
  • What sort of incident occurred
  • How and when the incident was initially detected
  • What response actions have already been taken
  • Who has been notified

The Statewide Cybersecurity Incident Report form is designed to collect all relevant information to assist with response.

How the State Responds to Cyber Incidents

Upon receiving a request for assistance during a cyber incident, the NC Joint Cybersecurity Task Force  will establish a scoping call with the impacted entity to address the high-level activities outlined in the following table.

Response TypeDescription
Incident responseThis includes conducting forensics to identify root-cause, damage assessment and mitigation, and coordination with law enforcement activities as needed. Lastly, it includes information-sharing of indicators of compromise.
Recovery responseThis effort could include establishing best practice recovery methods, system hardening, restoration of services and infrastructure rebuild.

Mission-Critical Support

Providing for effective public safety and implementing adequate homeland security measures to protect all North Carolinians, whether physical or in cyberspace, should be our singular focus.

To be successful, it will take a whole of government and whole of community approach requiring partnership, coordination, and collaboration across public, private, non-profit, and non-governmental organizations. Your organization is a mission critical part of this approach as we strive to protect all North Carolinians.