Defining the seriousness of a cybersecurity incident that is to be reported is difficult as incidents come in wide range of forms and significance. Individual interpretations of the seriousness of incidents will vary as well.
However, applying sound judgment and common sense to the definitions in the law, which reads
(1) jeopardizes or may potentially jeopardize the confidentiality, integrity, or availability of an information system, an operational system, or the information that such systems process, store, or transmit;
(2) jeopardizes or may potentially jeopardize the health and safety of the public; or
(3) violate security policies, security procedures, or acceptable use policies will result in compliance.
There is no penalty for “over reporting” and affected parties should find the reporting mechanism to be straightforward and efficient.
Report a cyber incident here: https://soi.formstack.com/forms/incident_reporting_form