When a cyber-attack hits, the first 24 hours are critical. But who makes the first call? What evidence should be preserved? And how do you avoid missteps that could delay your recovery - or your insurance claim? This article answers the most common questions about cyber incident response planning, based on real-world insight from forensic and legal experts.

What’s the first thing we should do when a breach is detected?

Start with a triage call. Bring together your IT lead, in-house or external legal counsel, your insurer, and a qualified incident response partner. This should happen within the first hour of discovery. Assign responsibilities early - containment, communications, stakeholder reporting - so nothing gets missed.

How do we contain a breach without destroying key evidence?

Containment doesn't mean powering systems off. It means limiting attacker movement while keeping logs and data intact. Capture live snapshots of affected systems, secure network and endpoint logs, and preserve digital evidence using a proper chain of custody. This evidence may be essential for regulatory reporting or future legal action.

What kind of internal coordination is needed?

Set up daily stand-up calls with your response team. Keep updates short, structured and cross-functional - bringing together IT, legal, communications and executive/board leads. This keeps progress moving and decision-makers aligned. You should also pre-agree contact points for regulators, suppliers and customers so nothing stalls when speed matters most.

What are our reporting duties under UK law?

You’ll need to act fast.

Under UK GDPR, personal-data breaches must be reported to the Information Commissioner’s Office within 72 hours of becoming aware of an incident.

Your response plan should also identify any other deadlines (for example regulatory or insurance deadlines) which may apply and who is responsible for notifying those third parties.

How do we make sure our incident response plan works in practice?

Test it. Run tabletop exercises to rehearse decision-making in a no-pressure setting. Then step up to war-gaming exercises, controlled simulations of real attacks, to test your technical and governance response. These exercises uncover gaps in tooling, escalation paths and communication, which you can fix before a real breach hits.

What technical defences should support our incident response plan?

At a minimum:

  • Back up critical systems using the 3-2-1 rule: three copies of data, on two types of storage, with one offline.
  • Implement multi-factor authentication and least-privilege access.
  • Store incident response plans and key contact details offline, in case systems are down.
  • Deploy real-time monitoring and log management tools.

These steps also align with most cyber insurance requirements and may be critical to a successful claim.

What makes the difference between a fast recovery and a prolonged crisis?

Preparation and clarity. The best-performing teams assign roles in advance, practice their response regularly, and treat incident readiness as a shared responsibility, not just an IT function - or an afterthought when things have gone wrong. When an attack comes, there’s no guesswork. Everyone knows who to call, what to do and how to protect what matters most.

If you would like to review your incident response plan or explore how to improve your business’s cyber breach readiness, please contact Patrick Arben or a member of our Cyber team.