FBI Cyber Officials Suggest Best Practices and Potential Benefits of Promptly Reporting Cybersecurity Incidents to Law Enforcement

Recently, FBI Cyber convened a meeting of outside counsel to discuss recent cybercrime trends, the potential benefits to organizations that promptly report cybersecurity incidents to law enforcement, and the FBI’s suggested best practices to mitigate vulnerabilities from the latest cybersecurity threats.

Cybercrime Trends and Potential Benefits of Reporting Cyber Incidents

FBI Cyber officials touted their latest Internet Crime Report, which stated that the FBI’s Recovery Asset Team had a 58% success rate in freezing funds via the Financial Fraud Kill Chain (FFKC) for fraud victims in 2025. The total funds frozen on behalf of victims via the FFKC last year was nearly $680 million. (Note: The FFKC is only available within 72 hours of international transfers of $50,000 or more.)

For the first time, the FBI’s Internet Crime Report attempted to quantify data for AI-related crimes. The report estimated losses for AI-related crimes in 2025 at approximately $893 million based on more than 22,000 complaints. Because the estimate is based on actual complaints to the FBI’s Internet Crime Complaint Center (IC3), this is likely a massive undercount of cybercriminals’ successful use of AI last year.

FBI Cyber officials noted a recent IBM report, which found that only 40% of ransomware victims engaged law enforcement last year, down from 53% in 2024. However, the report determined that law enforcement involvement reduced breach containment times by an average of 16 days and saved an average of approximately $1 million in breach costs, excluding any ransom payments.

Moreover, 63% of victims who engaged law enforcement last year avoided paying a ransom. A separate study by Chainalysis found that ransomware attacks rose by 50% in 2025 and that the median ransom payment by victims more than tripled to approximately $60,000.

Further, FBI Cyber officials stressed that prompt reporting by breach victims enables FBI Cyber to more quickly develop and share decryption keys, indicators of compromise (IOCs), and threat actors’ tactics, techniques, and procedures (TTPs). FBI Cyber officials noted that they can deploy (either on-site or virtually) rapid response teams of agents and analysts for key critical infrastructure, financial, and tech industry victims.

FBI Cyber’s Best Practices for Preventing and Responding to Cyber Threats

FBI Cyber officials also discussed their suggested best practices to mitigate the latest cybersecurity threats, including the following:

1. Adopt phish-resistant authentication to prevent passwords being stolen. FBI Cyber recommends avoiding push-only approvals and SMS-based multifactor authentication methods.
2. Implement a risk-based vulnerability management program to prevent threat actors from exploiting known vulnerabilities that remain unaddressed. FBI Cyber recommends setting remediation timelines based on risk; critical systems should be measured in days, not months.
3. Track and retire end-of-life (EOL) technology on a defined schedule. EOL systems no longer receive security updates and are thus routinely targeted. FBI Cyber recommends maintaining a rolling 12-month EOL forecast, reviewed quarterly.
4. Manage third-party risk by maintaining a single list of third parties with access or data-handling responsibilities. FBI Cyber recommends requiring strong authentication, least-privilege access, and monitored gateways, auditing and disabling unused accounts, requiring rapid breach notification, encryption, and annual control verification, and revoking access and confirm data disposition upon contract change or termination.
5. Protect and preserve security logs for detection, response, and attribution. Retain logs based on legal and response needs. FBI Cyber recommends conducting quarterly exercises to review security logs.
6. Maintain offline, immutable backups and test restoration. FBI Cyber recommends using the “3-2-1 Rule:” maintain at least three copies of critical data on two different media types, with one stored offline and immutable, securing backup platforms with strong authentication and separate administrator accounts, and testing restorations regularly, measure recovery time, and remediate gaps.
7. Identify, inventory, and protect internet-facing systems and services. FBI Cyber recommends maintaining a concise list of all internet-reachable systems with owners removing unnecessary exposure and requiring authenticated gateways for what remains.
8. Strengthen email authentication and malicious content protections. FBI Cyber recommends quarantining high-risk attachments, blocking internet-sourced macros, and sandboxing suspicious files.
9. Reduce administrator privileges. FBI Cyber recommends minimizing the number of administrator accounts and administrative group memberships, restricting where administrator logins are permitted and block use on standard workstations, monitoring and alerting  privilege changes and new administrator accounts, and removing local administrator rights from user devices, approving exceptions with expiration dates.
10. Exercise your incident response plan with stakeholders. FBI Cyber recommends maintaining an incident response playbook, and conducting quarterly tabletop exercises with technical, legal, communications, operations, and leadership teams.

When and How to Report Cybersecurity Incidents to the FBI

In deciding whether to promptly report a cybersecurity incident, organizations should first consider their insurance policies. While a policy may not require prompt reporting to law enforcement, it may be encouraged.

In ransomware attacks, FBI Cyber may have already developed decryption keys for a particular variant. FBI Cyber can also deploy (either on-site or virtually) rapid response teams of agents and analysts for some victims. Prompt reporting to the FBI may also increase confidence among customers, employees, shareholders, and corporate board members that companies are seriously addressing cybersecurity incidents. Additionally, FBI Cyber officials have offered to accept anonymized information from victims in some cases.

If your organization decides to make a report to the FBI, go to ic3.gov and click “File A Complaint.” After submitting the complaint form, you will receive a Complaint ID. Next, contact your local FBI field office and provide the Complaint ID. Your outside counsel may also have contacts at FBI Cyber to bring the report to their attention.

If you have any questions, please contact your Barnes & Thornburg relationship attorney or an attorney in our Data Security and Privacy group.

©2026 Barnes & Thornburg LLP. All Rights Reserved. This page, and all information on it, is proprietary and the property of Barnes & Thornburg. It may not be reproduced, in any form, without the express written consent of Barnes & Thornburg.

This Barnes & Thornburg publication should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own lawyer on any specific legal questions you may have concerning your situation.