Regarding your question about reporting incidents, I would just point out that we recommend organizations invest before an incident occurs. The organization has to have a security program in place, one that can detect threats and so forth. We always recommend that people report incidents and share them with their community because there are usually commonalities that everyone can learn from.
As the country's cybersecurity centre, we work to gather that information across all communities and to find commonalities in order to issue advice and guidance that could lead to enhanced security nationally. Yes, incidents should definitely be reported.