Report a Cybersecurity Incident

The growing sophistication, complexity and impacts of cybersecurity threats makes timely incident reporting critically important. Early detection and prompt notification are essential to mitigate potential harm and enhance overall security.

The DFPI has developed a cybersecurity incident report to ensure that we are alerted at the earliest stage possible, enabling a swift response and containment measures. Our goal is to strengthen defenses, protect assets, data, and stakeholders against these evolving cyber risks.

Cyber Incident Notification

To address the growing cybersecurity risk, the DFPI encourages licensees who experience or have reason to believe they have experienced a cybersecurity incident report the event as soon as possible. This notification provides an early alert to the DFPI and does not require the licensee to provide a detailed incident assessment.

When to Report

The DFPI encourages a licensee who experiences a reportable cyber incident to report the incident to the DFPI in 48 hours or as soon as possible when it has reason to believe that it has experienced a reportable cyber incident with a nexus to California operations. A Reportable Cyber Incident is classified as any of the substantial incidents listed below:

• Ransomware attacks impacting critical systems and/or resulting in alteration or destruction of financial or client/member data.
• Distributed Denial of Service Attack disrupting the licensee’s business operations and causing significant down time.
• Unauthorized access (i.e., Man in the Middle Attack, SQL Injection) to an information system containing a substantial amount of sensitive client/member information.
• Data breach compromising a substantial amount of client/member or employee personal identifiable information.
• System compromise or data loss caused by internal actor(s).
• System(s) misconfiguration exposing sensitive client/member information.
• Phishing attack resulting in significant system downtime and data loss.
• Theft or loss of unprotected or unencrypted devices containing confidential and/or sensitive information.
• Social engineering attack leading to fraudulent transfer of funds.
• Third-party or vendor notification that the vendor has experienced a breach of sensitive client/member information.
• Unauthorized intrusion into the licensee’s network and its information system.
• Sensitive data exfiltrated outside of the licensee or third-party vendor’s network environment in an unauthorized manner.

How to Report

Use the Cybersecurity Incident Report Form to submit a report to the DFPI.

Licensees required to report cybersecurity incidents to federal regulator(s) should submit a Cybersecurity Incident Report to the DFPI promptly.

If the licensee has questions regarding the Cybersecurity Incident Reporting process, or to follow up on its cybersecurity incident report, it can email [email protected].