Cyber Risk Mitigation, Courtesy the FBI

Maintaining open lines of communication with agencies like the FBI may not seem high on the agenda when companies are establishing or testing their cybersecurity practices. But given the load-bearing nature of private infrastructure, particularly in sectors like IT, establishing positive relationships with investigators long before a cyber breach occurs can pay dividends down the road, both for the company and the country, FBI Deputy Assistant Director Jason Cromartie told compliance professionals Sept. 15 at the SCCE’s 2025 compliance and ethics institute in Nashville, the organization’s 24th annual event.

“We recommend liaising and building networks with us ahead of an attack, so that the relationships exist before an attack occurs and we can get to things much faster,” Cromartie said, referring to the FBI’s 55 field offices. “In the crisis response world that I came from, we talk about the last time you want to exchange information and business cards is when the crisis is occurring.”

In 2024, the FBI’s Internet Crime Complaint Center (IC3) logged more than 260,000 complaints of cyber threats, with nearly 5,000 affecting organizations in critical infrastructure sectors, and total losses surpassed $16 billion. 

Cromartie emphasized early engagement with his agency, ideally before an incident occurs, but sought to dispel a potential reason for hesitation among some companies — the specter of triggering an SEC-mandated disclosure. He pointed to guidance from the SEC, which in 2023 finalized a rule requiring registrants to report within four calendar days a “material” cybersecurity incident, that consulting with law enforcement does not automatically trigger these obligations.

Indeed, not only does communicating with the FBI not necessarily start the clock on reporting to the SEC, but companies can put themselves on the good side of the commission and other enforcers, Cromartie said.

If victims request it, “the FBI can confirm victim cooperation with regulators and state attorneys general,” he said. “That cooperation can be deemed a mitigating factor when such entities consider enforcement action.”

Recent SEC cybersecurity enforcement cases demonstrate both the risks and potential benefits. In 2024 settlements involving SolarWinds-related breaches, companies faced penalties ranging from $990,000 to $4 million for misleading cyber disclosures, though the SEC explicitly reduced penalties after considering companies’ cooperation and remediation efforts.

Strategic FBI engagement

The FBI’s approach to cybersecurity emphasizes intelligence sharing that benefits entire industry sectors, creating what amounts to collective defense networks, Cromartie told the crowd during the event’s opening general session.

“When you share timely, relevant intelligence with us, we’re not only putting it into a database somewhere,” Cromartie explained. “We’re collecting it to build evidence, build intelligence, and we’re acting on that intelligence.” This intelligence gets used to identify attack patterns, track threat actors across industries and develop countermeasures that protect broader business ecosystems. Early reporters gain access to threat intelligence about emerging attack vectors before they impact competitors. 

“By reporting cyber attacks and intrusions to the FBI, we’re able to consolidate reports and identify other potential network attacks and identify other potential victims as well as identify other future adversaries,” he said.

For compliance teams, this reframes incident reporting from regulatory burden to strategic investment. Companies that cooperate early help build the intelligence foundation for FBI operations that can disrupt entire criminal networks, as demonstrated in recent takedowns of major ransomware groups.

Cybersecurity

Rather Than Rebellion, Treat Shadow IT As Your Tech Roadmap

by Apu Pavithran

August 5, 2025

Begin by understanding the what and why of shadow IT

Read moreDetails

To pay or not to pay

While acknowledging that “the FBI does not advocate paying ransom to adversaries,” Cromartie recognized the “tough business decisions” that require comprehensive risk assessment rather than absolute prohibitions.

The FBI’s opposition is clear: Ransom payments “do not guarantee that your information will be decrypted or deleted,” they “reward cyber actors and embolden them to conduct further activities” and they don’t “incapacitate the cyber actor from striking again in the future,” Cromartie said.

However, he outlined how the threat landscape complicates these decisions. 

“One trend in ransomware attacks is to exfiltrate or extract the data without encrypting the servers,” he explained, “focusing on demanding a ransom to prevent the selling or posting of the victim data.” This means “even with the efforts done to protect data, back it up and go through various safeguards to make sure that the data is still in place, they can still demand a ransom payment to prevent the data from being leaked or otherwise causing a company to suffer reputational damage.”

The tension grows when “criminals try to increase pressure with harassing phone calls and communications to employees, to executives or to other customers.” As Cromartie noted, “ransomware actors assume and likely count on [the knowledge] that if they can inflict more pain, people will pay more and pay more quickly.”

Those calculations appear sound: Ponemon Institute-Illumio research showed that 88% of surveyed companies experienced at least one ransomware attack in the past year, with just over half acquiescing to the ransom demand.

Infrastructure impact

Cromartie emphasized how cyber attacks ripple across interconnected infrastructure sectors. “Many of your industries are related,” he said, explaining how attacks on one sector inevitably affect others. “Healthcare, oil and gas, financial services, manufacturing, technology — all are important sectors that cyber adversaries want to target.”

This interconnectedness demands comprehensive vendor risk assessments. Rather than traditional due diligence focused on direct vendors, compliance teams should trace attack paths through vendor networks, third-party integrations and industry partnerships, he said.

Cromartie advocated for incident response that goes beyond generic planning. 

“Create an organizational incident response plan for continuity of operations,” he said. “Understanding and having your employees understand how to report incidents, and the plan should be ready and more importantly, perhaps practiced.”

The emphasis on practice addresses the reality that crisis decision-making differs from planning. “Compliance teams need processes they can execute quickly during a crisis while still keeping proper records for regulators.”

Actionable steps

Beyond strategic planning, Cromartie outlined specific steps compliance teams can implement now to strengthen their cyber risk posture:

• Establish FBI field office contacts before an incident occurs. Contact your local FBI field office to identify the cyber supervisor and request information about programs like InfraGuard and the business alliance that facilitate ongoing public-private cooperation.
• Build IC3 reporting into incident response protocols. Ensure your team knows to file complaints at ic3.gov immediately after discovering incidents, as rapid reporting can help the FBI’s asset recovery freeze stolen funds and provide decryption keys to victims.
• Create communication templates that balance disclosure with security. Prepare template language for stakeholder communications that avoids revealing specific or technical information about planned response or cybersecurity systems while meeting transparency obligations.
• Document materiality determination processes for audit trails. Establish written procedures for making materiality assessments without unreasonable delay that create defensible records for potential regulatory review.