Incident management
Reporting an incident
If you have experienced a cyber incident, and you aren’t sure which organisations to contact, you can use the UK government signposting service to help you.
Who are Incident Management in the NCSC?
The NCSC Incident Management (IM) team responds to serious cyber incidents, helping to reduce harm to the UK. We are responsible for triaging incidents, defining the NCSC and cross-government response, and providing direct support to victim organisations, in cooperation with a victim’s own incident response provider.
What happens when an incident is reported to the NCSC?
What happens when the NCSC notifies an organisation of an incident?
Our capabilities and partnerships mean that we are often aware of an incident before the victim. Where this is the case, we try to notify the victim as soon as possible. This may be over the phone, via email, by an automated alert from our Early Warning service or, very occasionally, via the police. The NCSC has a verification service to give you confidence that contact from the NCSC is genuine. We do not charge for our incident management services and will never ask for payment.
When we get in touch, we always try to provide a victim organisation with as much information as possible to help the response and investigation.
Early Warning is a free NCSC threat-notification service that tells subscribing organisations about potentially suspicious activity on their networks. It uses information feeds from the NCSC, as well as trusted public, commercial and closed sources, including several privileged feeds not available elsewhere.
How Incident Management works with:
Why report to the NCSC?
- We can help manage your engagement with the rest of government so you can focus on the incident response.
- We may have access to unique information and insight that can help you understand and manage your incident using our capabilities and network of relationships. We also have considerable experience supporting victims across different sectors.
- We can connect you with leading commercial incident response expertise to support your investigation through our certified cyber incident response scheme.
- We can advise on your incident communications strategy, bringing in our communications team who can use their experience to support your approach.
- Sharing with the NCSC informs our understanding of the threat landscape as we may share anonymous technical details with other network defenders to help prevent other incidents, using TLP handling caveats. It also helps us shape our guidance in the long term.
- Working with us may mean a more favourable regulatory response – regulators such as the Information Commissioner’s Office (ICO) may take into account timely engagement with us (and the ICO is even considering making explicit the amount saved in a fine when an organisation has positively engaged).
- We will protect your information, and we won’t share it with regulators without first seeking permission. The NCSC isn’t a regulator – we respect your confidentiality.
Incident management guidance
Advice for organisations on how to effectively detect, respond to and resolve cyber incidents.
How we handle your information
- We protect information we receive in the same way we protect our own confidential information: we hold it securely, with strictly limited access.
- Where appropriate, we may share details with our law enforcement partners to help identify investigation or mitigation opportunities.
- The information we hold is exempt from Freedom of Information requests.
- We won’t share details with regulators, such as the Information Commissioner's Office, without first seeking your consent. However, we may share aggregate statistics and anonymised details with them.
