First 72 Hours After a Cyber Incident: Response Playbook

1. 1

   Hour 0-2: Isolate without destroying evidence

   The instinct is to power off compromised systems. Don't — RAM holds forensic artifacts (encryption keys, attacker tools, persistence mechanisms) that are lost on power-off. Instead:

   • Network-isolate: pull network cable, disable WiFi, but keep systems powered on
   • Document state: photograph screens, note timestamps, save running-process lists if you can
   • Preserve logs: server logs, firewall logs, EDR/AV alerts — copy to write-once media
   • Snapshot virtual machines rather than restarting them

   Engage IT to begin isolation but do not allow IT to "restore from backup" or "reimage" before the forensic team arrives — this destroys the evidence trail.

   💡 Tip: Many cyber claims are denied because the policyholder destroyed forensic evidence in the first hour through well-intentioned IT response. The carrier's forensic team needs the un-touched state.
2. 2

   Hour 0-4: Call the cyber policy claims hotline

   Open the cyber policy declarations and find the Incident Response Hotline — typically a 24/7 phone number or email. Call before you do anything else publicly. The hotline triggers:

   • Breach counsel assignment (attorney-client privileged from minute 1)
   • Forensic vendor dispatch (DFIR specialists, typically Mandiant/CrowdStrike/Stroz)
   • Ransom-negotiation team if applicable
   • Regulatory-counsel assignment for state/federal notifications

   Many policies REQUIRE you to use carrier-approved vendors for coverage to apply. Hiring your own forensic firm before the hotline call can void coverage. Read your policy if in doubt — but default to calling the hotline first.

3. 3

   Hour 0-12: Activate the incident response team internally

   Designate (or activate the existing) incident response team:

   • Incident commander: usually the CISO/CEO/COO depending on company size
   • IT/security lead: directs technical response
   • Legal counsel: in-house + breach counsel from cyber policy
   • HR lead: if employee data exposed
   • Communications lead: outbound messaging only after legal review
   • Operations lead: business-continuity decisions (do we stay open? do we revert to manual processes?)

   One person — the incident commander — owns final-call decisions. Don't let the response be run by committee. Document every decision in a written log.

   💡 Tip: If you don't have an internal team, your breach counsel will help you stand one up in hours. Their first call is usually to designate a single incident commander.
4. 4

   Hour 4-24: Begin breach scoping — what was accessed?

   The forensic vendor's first deliverable is a scoping assessment:

   • Which systems were compromised? Which weren't?
   • What data was accessed, exfiltrated, or encrypted?
   • Personal information (PII/PHI/PCI)? Confidential business data? Trade secrets?
   • How many individuals affected?
   • How long was the attacker resident?

   The scoping is the input to every downstream decision — breach notification timelines, regulatory obligations, ransom decisions, public statements. Resist the pressure to make announcements before scoping is complete.

   💡 Tip: "We don't know yet" is the right answer to outside questions in the first 24 hours. Premature announcements cause greater harm than silence.
5. 5

   Hour 12-48: Apply state breach-notification timelines

   All 50 states + DC have data-breach notification laws. Each has different timelines, definitions, and content requirements. The strictest current timelines:

   • CA, CO, DE, FL, IL, MD, ME, NY, OR, RI, SD, TX, WA: typically "most expedient time possible" — defacto 30-60 days
   • OH: 45 days
   • FL, WA: 30 days
   • CA, CT, FL: notify state AG simultaneously if certain thresholds met

   If you have CO/CA residents in your dataset, you're subject to those laws regardless of where you're headquartered. Breach counsel maps state-by-state obligations based on the data subjects.

   HIPAA: 60 days from discovery, sometimes "immediately"
   GDPR: 72 hours from discovery (if EU subjects)
   NY SHIELD Act: most expedient, no fixed deadline but be ready to justify timing
   Federal banking regs: 36 hours for banks under OCC/FDIC supervision

   💡 Tip: Breach counsel maintains the actual current state-by-state matrix. The list above is illustrative and changes annually. Do not rely on stale matrices.
6. 6

   Hour 24-72: Make the ransom decision (if applicable)

   If the incident is ransomware, the decision to pay or not is multi-factor and should involve:

   • FBI Field Office — call them. They do NOT prosecute victims and will share intel on the threat actor
   • Cyber policy claims team — many policies include ransom-negotiation coverage with pre-vetted firms
   • OFAC sanctions check — paying a sanctioned actor (LockBit, certain Russian/NK groups) violates federal law regardless of business pressure
   • Operational impact: can you restore from backups in acceptable time? Are backups encrypted too?

   If paying: the negotiation firm typically reduces the demand 60-80% and verifies actor delivers decryption. The cyber policy generally covers the ransom payment subject to sublimit. Never pay without OFAC clearance and policy approval — both required.

7. 7

   Hour 48-72: Prepare individual notification + remediation offers

   If individuals were affected, prepare notification packets (breach counsel drafts; you sign):

   • Plain-English description of what happened, when, what data
   • What you're doing about it
   • What the individual should do
   • Free credit monitoring + identity-restoration services (industry standard is 12-24 months)
   • Single-point-of-contact phone/email for questions

   Most cyber policies cover the credit monitoring + restoration services up to a per-individual or aggregate limit. Verify before contracting independently.

8. 8

   Document everything; preserve records for 7+ years

   Every decision, every timeline, every vendor engagement, every cost gets documented. Cyber claims regularly produce 7+ year records for:

   • Regulatory enforcement proceedings (FTC, state AGs, HHS for HIPAA)
   • Class-action defense (data-breach litigation is now standard)
   • Cyber-policy claim reimbursement audits
   • Future cyber-policy underwriting (renewal questionnaires require disclosure)

   Maintain a written incident-response log from minute 1. Save all email/Slack threads under legal hold. Preserve everything until breach counsel approves disposal.