After a business is affected by a cyber breach, any number ofdecisions need to be made for the well-being of the company, itscustomers and other stakeholders.

One of the major questions for many companies is whether toinvolve the authorities, and there are several considerationssurrounding this action.

Bryan Rose, managing director with the New York City-basedbusiness consulting firm Stroz Friedberg, told an audience at ALM'scyberSecure conference in New York City thisweek that a company must consider whether eporting the breach tothe government will hurt or benefit the company in any way.

"There are benefits to reporting to law enforcement, but itdepends on the company," Rose said, adding that the company willlikely be viewed as a victim of the breach. "They (the FBI andSecret Service) are dealing with national security, and will makedecisions based on that perspective."

He also recommended that a company think about public relationsissues involved with the breach. "If it is a private breach, thecompany may not want to report it because of the possibility ofleaks, not from the FBI, but possibly from other entities."Delaying notification may also be critical to the investigation,and can help the company in determining the source of thebreach.

Nicole Friedlander, special counsel at the New YorkCity law firm of Sullivan & Cromwell LLP, said that otherconsiderations around reporting the breach include the type ofinformation affected (such as personal identifiable information orpersonal health information), and whether the breach will generallyaffect public health or safety.

Calling in the feds

Richard Jacobs, assistant special agent in charge of the cyberbranch in New York for the FBI said they would like to be notifiedany time a company suffers a breach. "We would like a phone call,"he said. "Your breach might be connected to a dozen others and helpus paint a picture of the criminals. The FBI's role is to get thebad guys out from behind the keyboard and into jail. If we don'tneutralize those responsible, they will come back and attack againand again."

Jacobs explained that the FBI has information not available tothe public, but they have provided it in certain cases on aneed-to-know basis to help companies in the defense of theirnetworks. He also said when organizations announce they have beenthe subject of a breach, it bodes well for those who can say upfront they are working with the FBI to identify the source of theintrusion.

He stressed that reporting a breach to the FBI is not the sameas reporting it to federal regulators, who must be notified forcertain types of breaches. "When you speak with theFBI — we are not responsible for turninginformation over to the regulators," he added. Hospitals, financialinstitutions and other businesses must report cyber attacks or databreaches to federal regulators within 30 days. In some cases,because of the nature of the attack, the FBI may issue a company a"safe harbor" letter, which can give a company a little more timeto report the breach to regulators and protect the integrity of theinvestigation.

Jacobs said the FBI and Secret Service frequently investigatecyber breaches. Sometimes they work together and sometimes theyinvestigate independently. He recommended contacting the FBI first,but stressed that if a company has relationships with otheragencies, they should contact whoever they feel comfortable workingwith on the incident.

Benefit of expertise

"When the FBI first responds — our job is todetermine who is behind the breach," he explained. "We wantindicators of the breach — things like copies ofthe malware, the IP addresses involved and what activities led upto the breach. We are often able to attribute an attack to aspecific entity because of this information and may already havedata on the perpetrators."

Jacobs also said that the FBI may be familiar with the groupinvolved in the attack and can frequently tell a company what kindsof indicators to look for as part of the investigation.

There are also issues companies should think about pre-breach.According to Rose, "There should be a company response plan, insidecounsel, outside counsel, who will make the decision to report theincident, who the company will report it to, and who will liaisonwith the FBI or Secret Service. Post-breach these things move veryfast, so you need to know what to do before it happens."

All of the experts agreed there is a high probability that mostcompanies will be breached and they need to take steps now tomitigate the damage when one occurs.

Related: Navigating the cyberinsurance maze: Inside theobligations and caveats