Any type of incident can be reported. For guidance, the law provides the examples below:
(2) Business email compromise.
(3) Vulnerability exploitation.
(4) Zero-day exploitation.
(5) Distributed denial of service.
(6) Web site defacement.
Additionally, due to the changing threat landscape the Office of Technology will provide a list of additional incident types to be reported as applicable.