Are you talking about the SAR Part III section where you'd characterize the activity as #35f, Computer Intrusion ? That's the only form I know of.
Do you have a written, board-adopted incident response plan that defines an "incident" and basically gives you an action plan of what-to-do's when an incident occurs? Is it possible you're misinterpreting the examiners' suggestions and instead you're thinking you need some type of form? Part of your incident response plan and process would be defining what your actual event was, such as determining that there was, in fact, a "breach", as you referenced. There's something missing here in your translation of what they suggested you do.