Breach, Report, Recover: What Security Incidents Organisations must Report and how to do it

Key Takeaways: 

  • Reporting a security incident is a contractual obligation under ISN 2025/03 (May 2025), it applies to all defence suppliers and subcontractors. 
  • The scope of a reportable incident is wider than most organisations expect: data spills, policy breaches, and suspicious approaches are all in scope alongside cyber attacks. 
  • Three reporting streams apply: MOD Defence Industry WARP, the ICO, and the NCSC, each with distinct timelines and authority. 
  • DEFCON 658 requires cyber incident reporting to flow down through the supply chain; PRIMEs carry accountability for ensuring subcontractor compliance. 
  • The Cyber Security and Resilience Bill (expected Royal Assent 2026) introduces fines of up to £17 million or 4% of global turnover for failures to report. 

When a security incident occurs, the instinct in many organisations is to delay,  assess whether the magnitude of the incident and then judge whether or not to report the incident. This procrastination is itself a compliance failure. ISN 2025/03, issued by the Ministry of Defence in May 2025, removes any ambiguity.  Defence suppliers are obligated to report all security incidents promptly.  

This blog sets out what that means, what qualifies, who receives the report, what timelines apply, and what your internal system needs to look like. 

What Counts as a Reportable Security Incident? 

The scope is broader than most companies expect, and the official definition is precise.  

ISN 2025/03 defines a security incident as any circumstance in which defence-related classified material is: 

  • damaged,  
  • compromised,  
  • lost, or disclosed to unauthorised persons. 

Whether through a failure of policy, security measures, or controls, or as the result of a direct threat or individual action. Incidents can be accidental or deliberate and may originate internally or externally.  

Security Incidents are categorised into 5 domains: 

  1. Cyber – covers cyber-attacks, malicious software, phishing (if acted upon), ransomware, and denial of service. MOD supply chain contractors follow the DEFCON 658 pathway. For government organisations more broadly, the NCSC is the relevant authority. 
  1. Physical – covers incidents affecting site, building, or sensitive area security — including loss or compromise of hard copy classified documents or defence equipment. 
  1. Personnel – covers vetting integrity, misuse of UKSV sponsor accounts, fraudulent use of access passes or ID cards, unsolicited or suspicious approaches (particularly from individuals linked to hostile states) and insider threats involving defence interests. 
  1. Technical – covers the compromise of classified material through eavesdropping, signal interception, or similar exploits. 
  1. Information – covers personal data breaches, classified information breaches, unauthorised disclosures (data spills, media or social media disclosures, information obtained without a need to know) and policy or SyOps breaches. 

One point frequently overlooked: classified material that cannot be accounted for must be treated as compromised until confirmed otherwise. Contact the Defence Industry WARP immediately, do not wait for evidence of a breach to be established. 

Contractors often self-filter, deciding informally that something does not meet the threshold. ISN 2025/03 does not permit that judgement to delay reporting a suspected incident. The next question is who receives it. 

Who Do You Report To and When? 

Three separate reporting streams apply, and in some incidents more than one runs simultaneously. 

  1. MOD Defence Industry Warning Advisory and Reporting Point (WARP) is the primary recipient for all security incidents under ISN 2025/03. It coordinates with the relevant Contracting Authority, other government departments, and law enforcement where required. As we covered in our post on CSM Version 4, contractual security requirements now reach firmly into the second and third tiers and the reporting obligations follow the same path. 
  1. The ICO must be notified of personal data breaches within 72 hours under UK GDPR and the Data Protection Act 2018. The Data Use and Access Act (in force June 2025) aligned PECR (Public Electronic Communication Regulation) reporting to the same window. Phased reporting is permitted where investigation is ongoing. 
  1. The NCSC (National Cyber Security Centre)  becomes the relevant reporting authority under the Cyber Security and Resilience Bill, introduced to Parliament in November 2025 and expected to receive Royal Assent in 2026. It requires an initial notification within 24 hours and a full report within 72 hours covering confidentiality and integrity incidents, not only service availability. 

What an Effective Internal Reporting System Looks Like? 

ISN 2025/03 requires each defence supplier to maintain an effective internal security reporting system, one where reporting does not depend on individuals making informal judgements about what warrants escalation. 

In practice, an effective system needs four things:  

  1. Named owner with clear accountability. 
  1. Defined thresholds that remove discretion from the question of whether something is reportable. 
  1. Documented audit trail recording awareness, decision, and action. 
  1. Tested escalation path to each of the three external reporting bodies. 

The most common gap is not a missing policy document, it is that staff do not know what to do when something actually happens. The Business Impact Analysis work that underpins sound information security governance feeds directly into the development of an incident response process. You cannot prioritise correctly unless you have already identified what matters to you as a business i.e. your critical assets. As our post on IPSA sets out, a significant proportion of incidents involve insider threat making staff awareness structural, not optional. 

Getting the internal system right is one half of the equation. The other is understanding what failure actually costs. 

The Cost of Getting It Wrong 

Failing to report carries consequences at three levels: 

  1. Contractual non-compliance with DEFCON 658 reporting obligations may result in loss of contract and, in some circumstances, liability to reimburse reasonable costs. 
     
  1. Regulatory, ICO fines remain in force for unreported personal data breaches under UK GDPR. The Cyber Security and Resilience Bill raises the ceiling to £17 million or 4% of annual global turnover for serious failures to notify the NCSC. 
     
  1. Reputation, defence supply chain relationships are built on demonstrated reliability. A missed or delayed report even where the underlying incident is minor, signals that your internal controls are not functioning. That is a difficult position to recover from. 

How to avoid security incidents? 

To reduce the probability of suffering a security incident, the security culture within an organisation must be mature and effective, this starts from senior level leadership. A documented reporting process is the starting point, but it only works when your people are aware of it and understand how to use it.  

The Intelligence Advantage from Pera Prometheus, is an Executive and Senior Leadership threat awareness brief that has been developed and successfully piloted to guarantee that attendees will leave the room with a different view on security then they had when they walked in.  

Frequently Asked Questions 

Q: Do subcontractors face the same reporting obligations as prime contractors?  

A: Yes. ISN 2025/03 applies to any organisation holding defence-related classified material. DEFCON 658 requires PRIMEs to flow reporting obligations down through their supply chain. 

Q: What is the difference between reporting to MOD WARP and reporting to the ICO? 

 A: MOD WARP covers security incidents affecting defence-related classified material; the ICO covers personal data breaches. Some incidents require both, simultaneously. 

Q: How quickly does a security incident need to be reported to MOD?  

A: ISN 2025/03 requires “prompt” reporting, an admittedly ambiguous term.  Best advice here is to ensure that you act in a prompt manner and if you can’t justify a delay, don’t make one. Delay is a compliance failure in itself. Under the incoming Cyber Security and Resilience Bill, initial notification to the NCSC is required within 24 hours, with a full report within 72 hours. 

Stay Safe, Stay Secure 

Related Posts