D&O Insurance UK What Founders and Boards Actually Need

Cyber Incident Playbook: The Critical 72-Hour Response to Ransomware, Data Leaks and Model Misuse

Step-by-step cyber incident playbook for ransomware, data leaks and model misuse—immediate actions, insurer engagement, and critical evidence to preserve.

Your monitoring system flags unusual activity at 2 AM. By the time your on-call engineer investigates, you’re either looking at encrypted databases, evidence of data exfiltration, or model outputs that don’t match expected behaviour. The next 24 hours determine whether this becomes a contained incident with insurance covering your costs, or a catastrophic event that drains your runway and kills your next funding round. The difference isn’t luck—it’s whether you have a cyber incident playbook that everyone understands and can execute under pressure.

This guide provides step-by-step response procedures for the three incident scenarios that matter most for UK tech companies: ransomware attacks that encrypt systems and demand payment, data leaks where customer or proprietary information is accessed or exfiltrated, and model misuse where AI systems are manipulated to produce harmful outputs. We’re writing from experience managing these incidents on the underwriting and claims side. By the end, you’ll know what actions to take in the first hour, how to engage your insurer effectively, and what evidence to preserve to support your claim.

The Critical First Hour: Immediate Actions That Preserve Your Insurance Claim

The first hour after detecting a cyber incident determines everything that follows. The actions you take now affect your ability to contain the incident, the evidence available for forensic investigation, your regulatory notification timeline, and whether your insurer will pay the claim in full or argue that you failed to mitigate losses. This cyber incident playbook assumes you’re discovering the incident in real time, not learning about it from a third party or regulator.

Contain, don’t investigate. Your immediate priority is stopping the incident from spreading, not understanding how it started. For ransomware, this means isolating affected systems from the network immediately—pulling network cables if necessary, not just disabling network interfaces in software. For data leaks, it means revoking credentials for compromised accounts and blocking suspicious IP addresses at the firewall. For model misuse, it means taking the affected model offline or rolling back to the last known good version. Every minute you spend investigating while the incident is still active gives the attacker more time to encrypt additional systems, exfiltrate more data, or cause further damage.

Preserve evidence before you do anything else. Take screenshots of ransom notes, error messages, or unusual system behaviour. Capture network logs, authentication logs, and application logs for the relevant timeframe. Create disk images or snapshots of affected systems before you start recovery procedures. This evidence is what forensic investigators and insurers will use to establish the timeline, the attack vector, and the scope of compromise. If you restore from backup or reimage systems without preserving evidence first, you’re destroying the crime scene and making it much harder to support your insurance claim or defend against potential regulatory action.

Notify your insurer within the policy notice period, which is typically 48-72 hours. Don’t wait until you understand the full scope or have completed your investigation. Insurers expect prompt notification so they can assign claims handlers, recommend forensic investigators, and ensure you’re taking steps that preserve coverage. The notice requirement is in your policy—if you miss it, you’re creating grounds for the insurer to reduce or deny the claim. Most insurers have 24/7 incident response lines for cyber policies. Find that number now, before you need it, and save it somewhere your incident response team can access it immediately.

Engage forensic investigators from your insurer’s panel if possible. Most cyber insurance policies include panels of approved forensic firms that can respond within hours and have direct billing arrangements with the insurer. Using an approved firm typically means faster claims processing and eliminates the cash flow problem of paying investigation costs upfront while waiting for reimbursement. If you engage a firm that’s not on the panel, the insurer may still cover the costs, but you’ll need pre-approval and you’ll likely be paying invoices yourself then seeking reimbursement later.

Start your incident log immediately. Create a running document that timestamps every action taken, every person notified, every system affected, and every decision made. This log becomes essential evidence for your insurance claim, regulatory notifications, and customer communications. The forensic team will want it. Your breach counsel will want it. The ICO will want it. Your customers will want it. Start capturing this information from hour one, not trying to reconstruct it days later when memories are fuzzy and details are lost.

Ransomware Response: The 72-Hour Critical Window

Ransomware incidents move fast and create immediate business interruption. You’re facing system downtime, potential data exfiltration, ransom demands, and a ticking clock on regulatory notification obligations if customer data was accessed before encryption. This ransomware response playbook assumes you’ve detected encryption in progress or discovered systems already encrypted.

Hour 1-4: Containment and impact assessment. Your forensic team is working to identify which systems are encrypted, whether the attacker is still present in your network, and whether data was exfiltrated before encryption. They’re checking for persistence mechanisms—backdoors that would allow the attacker to return even after you recover systems. You’re working with them to understand which business functions are affected and how long you can operate without the encrypted systems. This is when you discover whether your backups are intact and accessible, or whether the attacker encrypted or deleted them as part of the attack. If your backups are compromised, you’re facing a much longer recovery timeline and a much harder decision about whether to pay the ransom.

Hour 4-12: Recovery planning and ransom evaluation. If you have clean, tested backups that weren’t affected by the ransomware, your decision is straightforward—start recovery and don’t engage with the attacker. Your cyber insurance business interruption cover will compensate for lost revenue during recovery, and you avoid the ethical, legal, and practical problems of paying criminals. If your backups are compromised or you can’t restore within acceptable timeframes, you’re evaluating whether to pay the ransom. This is where your insurer’s guidance matters. Some cyber insurance policies explicitly cover ransom payments, others exclude them, and many are ambiguous. You need to know what your policy says before you’re in this scenario.

Hour 12-24: Communication and regulatory notification planning. You’re preparing internal communications for staff, customer communications explaining service disruption, and investor notifications if you’re venture-backed or preparing for a funding round. Your breach counsel is advising on regulatory notification obligations. If the ransomware included data exfiltration—which is increasingly common because attackers want leverage to force payment—you have 72 hours from discovery to notify the ICO under UK GDPR. You need forensics to confirm what data was accessed before you can make accurate notifications, but you can’t wait indefinitely for perfect information. This tension between accurate notification and timely notification is where breach counsel adds value.

Hour 24-72: Restoration and monitoring. You’re rebuilding systems from clean backups or clean images, implementing additional security controls to prevent reinfection, and monitoring for any signs that the attacker retained access. Forensics is working to identify the initial access vector—was it a phishing email, an unpatched vulnerability, compromised credentials?—so you can remediate the root cause, not just the symptoms. Your insurer wants to see that you’re addressing the underlying security gap to prevent recurrence, not just restoring to the same vulnerable state. This affects their willingness to renew your policy and the terms they’ll offer.

The ransom payment decision requires specific documentation. If you’re considering paying, your insurer needs to see evidence that you’ve exhausted other options, that the recovery timeline without payment is unacceptable for business continuity, and that there’s reasonable confidence the attacker will actually provide working decryption keys. Insurers don’t want to pay ransoms that don’t result in recovery. They also need to comply with sanctions regulations—if the attacker is on a sanctioned list, payment is illegal and won’t be covered. Specialist ransomware negotiation firms handle these complexities, and most insurers require you to use approved negotiators if you’re pursuing the payment route.

Data Leak Playbook: Notification Obligations and Evidence Preservation

Data leak incidents create different pressures than ransomware. Systems aren’t necessarily offline, so there’s less immediate business interruption, but you’re facing complex notification obligations, potential regulatory fines, and customer liability claims. This data leak playbook covers scenarios where you’ve discovered unauthorised access to customer data, employee data, or your own intellectual property.

First 24 hours: Scoping and containment. Forensics is working to establish what data was accessed, when access occurred, how long the attacker had access, and whether data was exfiltrated or just viewed. This scoping work is what determines your notification obligations and potential liabilities. If 50,000 customer records were accessed, you have different obligations than if 5,000 were accessed. If financial data or identity documents were included, notification requirements are more stringent than for email addresses alone. While forensics works, you’re revoking compromised credentials, forcing password resets for affected accounts, and ensuring the access vector is closed so the attacker can’t return.

Hours 24-72: Regulatory notification and legal assessment. Once forensics has preliminary scope, your breach counsel is advising on ICO notification requirements. UK GDPR requires notification within 72 hours of becoming aware of the breach if there’s a risk to individuals’ rights and freedoms. “Becoming aware” means when you have reasonable certainty a breach occurred—not when you first suspected something might be wrong. You’re drafting the ICO notification explaining what happened, what data was affected, what steps you’ve taken, and what mitigation you’re offering to affected individuals. The ICO may respond with additional information requests or launch a formal investigation, particularly if your security controls were inadequate or you delayed notification.

Days 3-10: Individual notification planning. If the breach creates high risk to individuals, you need to notify them without undue delay. The notification must explain what data was accessed, what steps you’ve taken, what advice you’re offering to affected individuals, and what services you’re providing—credit monitoring, identity theft insurance, or other support. Your cyber insurance first-party cover pays for these notification costs, but insurers want to see cost-effective notification methods that comply with regulatory requirements. Sending individual letters to 50,000 people costs more than bulk emails, but some individuals may not have valid email addresses, requiring postal notification anyway.

Weeks 2-8: Customer and third-party liability management. Your customers are assessing whether your breach triggers their own notification obligations, whether they’ve suffered losses as a result, and whether your contract makes you liable for those losses. If you’re processing data on their behalf under a data processing agreement, they’re scrutinising whether you met your security obligations. If you’re providing SaaS services with security warranties in the contract, they’re checking whether you breached those warranties. Some will threaten contract termination. Some will withhold payments. Some will make formal claims. Your cyber insurance third-party liability cover is for these claims, but you need to preserve evidence of your security controls, your contractual obligations, and the actual losses they’ve suffered to defend against inflated claims.

Evidence preservation is what separates successful claims from disputed claims. You need authentication logs showing when unusual access occurred, network logs showing IP addresses and traffic patterns, access control configurations demonstrating what security controls were in place, patch management records showing whether systems were current, and incident response actions showing you contained the breach promptly. If you can’t produce this evidence because logging wasn’t enabled or logs weren’t retained, insurers will argue you failed to maintain reasonable security controls and they may reduce or deny cover. This is why evidence preservation in the first hour matters—once you’ve reimaged systems or restored from backup, that evidence is gone.

Model Misuse Response: When AI Systems Are Manipulated or Produce Harmful Outputs

Model misuse incidents are newer and less well understood than ransomware or data breaches, but they’re increasingly common as AI deployment scales. This model misuse response playbook covers scenarios where your AI model has been manipulated through adversarial inputs, data poisoning, or prompt injection, or where the model has produced outputs that cause harm even though it’s technically functioning as designed.

Immediate detection and model isolation. Model misuse often presents as anomalous outputs rather than obvious system compromise. Your monitoring alerts that model predictions are drifting from expected distributions, or users report that the model is producing inappropriate responses, or you discover that systematically crafted inputs are causing the model to bypass safety controls. Your first action is isolating the affected model—either taking it offline entirely or rolling back to the last known good version. Don’t wait to understand the root cause. If the model is accessible to external users and producing harmful outputs, every minute of continued operation creates additional liability exposure.

Forensic investigation for AI incidents requires ML-specific expertise. Traditional cyber forensics firms understand system compromise but may not understand model manipulation. You need specialists who can analyse training data for poisoning, evaluate model behaviour under adversarial inputs, assess whether the model has been modified or fine-tuned without authorisation, and determine whether the issue is a model defect versus external manipulation. This investigation determines whether you have a cyber security incident covered under cyber insurance, a model liability event covered under AI model risk insurance, or a product defect that might not be covered at all.

Regulatory notification for model misuse depends on impact and data involved. If the model produced outputs that caused individuals’ personal data to be disclosed inappropriately, you have UK GDPR notification obligations. If the model made consequential decisions affecting individuals—credit decisions, employment screening, benefits eligibility—and those decisions were wrong due to manipulation, you may have obligations under sector-specific regulations or equality legislation. If the model is used in a regulated context like financial services or healthcare, you have notification obligations to the relevant regulator. Your breach counsel needs to understand both data protection law and AI-specific regulatory requirements to advise properly.

Customer impact assessment and liability management. If customers or end users were affected by the model’s harmful outputs, you’re assessing potential liabilities under your contracts. Did you warrant specific model performance or safety characteristics? Did the model’s behaviour breach those warranties? What losses have customers or users suffered as a result? Your AI model risk insurance should cover these liability claims, but insurers will investigate whether you had adequate governance controls in place. If you deployed a high-consequence model without bias testing, without adversarial testing, or without monitoring for anomalous outputs, insurers may argue you failed to meet basic governance standards.

Remediation and transparency obligations. Once you understand what went wrong, you’re deciding what to disclose. If the incident affected a small number of users and the model has been fixed, limited disclosure to those users may be sufficient. If the incident was severe or public, you may need broader disclosure explaining what happened, what you’ve done to remediate, and what steps you’re taking to prevent recurrence. Transparency builds trust, but it also creates evidence that could be used against you in regulatory proceedings or civil claims. Your counsel and insurers need to balance these competing considerations.

How to Engage Your Insurer During an Active Incident

Engaging your insurer effectively during an incident is what separates claims that pay promptly from claims that get disputed, delayed, or denied. Insurers aren’t adversaries during incidents—they want you to contain the damage and manage costs effectively—but they have specific documentation requirements and process expectations that you need to understand.

Initial notification should be brief but complete. When you notify your insurer in the first 48-72 hours, you don’t need a full incident report—you need the key facts: what type of incident it is, when you discovered it, what systems or data are affected, what immediate actions you’ve taken, and what assistance you need. The insurer assigns a claims handler and connects you with their incident response resources. If you’re not sure what you’re dealing with yet, say so. “We’ve detected unusual activity that may be ransomware but forensics is still investigating” is better than claiming it’s definitely ransomware then discovering later it was something else.

Use the insurer’s approved vendor panels when possible. Insurers maintain panels of forensic firms, breach counsel, crisis PR firms, and ransomware negotiators who understand the insurer’s documentation requirements and have direct billing arrangements. Using these firms eliminates cash flow pressure—the insurer pays them directly rather than you funding costs upfront then seeking reimbursement. It also typically results in faster claims processing because the vendors know what documentation the insurer needs. If you engage firms that aren’t on the panel, you need pre-approval from the insurer and you’ll be managing invoices and reimbursement yourself.

Document everything as if you’ll need to defend the claim later. Even though your insurer is supporting you during the incident, they’re also evaluating whether the claim is covered and whether you took reasonable steps to mitigate losses. Your incident log, your forensic reports, your vendor invoices, your internal communications—all of this becomes evidence that either supports or undermines your claim. If you make decisions without documenting the rationale, if you incur costs without getting quotes or justifying necessity, if you wait days before taking obvious containment steps, insurers will question whether you met your duty to mitigate losses and may reduce payment accordingly.

Understand what decisions you control versus what the insurer controls. For first-party costs like forensics and notification, you generally have control over vendor selection and scope, though insurers expect you to be cost-conscious and may challenge unreasonable expenses. For third-party defence, the insurer typically has more control because they’re funding the defence and have an interest in the litigation strategy. If the insurer wants to settle a claim and you want to litigate, or vice versa, policy terms determine who makes that decision. Understanding this before you’re in an active claim prevents disputes about authority and decision-making during the incident.

The Bottom Line for Your Cyber Incident Playbook

Your cyber incident playbook is only valuable if your team knows it exists, understands it, and can execute it under pressure. The companies that manage incidents effectively are the ones that have tested their response procedures through tabletop exercises, identified gaps in their playbook, and fixed those gaps before a real incident occurs. The companies that struggle are the ones discovering their playbook during an actual crisis when stress is high and time is limited.

The first hour determines everything. Contain first, investigate later. Preserve evidence before you start recovery. Notify your insurer within the policy notice period. Engage approved forensic investigators immediately. Document every action and decision in your incident log. These fundamentals apply equally to ransomware attacks, data leaks, and model misuse incidents—the specific response steps differ, but the underlying principles don’t.

Your cyber insurance is there to fund the response and protect your balance sheet from catastrophic losses. But coverage depends on you meeting policy terms, mitigating losses reasonably, and preserving evidence that supports your claim. Insurers pay claims when the policyholder demonstrates they managed the incident competently and documented costs appropriately. They dispute claims when the evidence is missing, the response was negligent, or the costs appear unreasonable. Make your insurer’s job easy by having a robust cyber incident playbook and executing it professionally.

External Resources

  • NCSC: Incident Management – Practical guidance from the UK’s National Cyber Security Centre on handling cyber security incidents, including ransomware and data breaches
  • ICO: Report a breach – Official guidance on UK GDPR breach notification requirements, timelines, and the information regulators expect during incident reporting

Related Posts

Trending now
D&O Insurance UK What Founders and Boards Actually Need board decision making and governance
Parametric Insurance for Labs: How It Works and What It Costs
Cyber Insurance for UK Tech Companies Complete Guide 6
Contingent Business Interruption Insurance: When Your Single-Source Supplier or CMO Fails
Professional Indemnity for Software Companies The Complete Requirements Guide expert consultation teamwork, professional service collaboration, technical expertise
Product Recall Insurance for Biologics and Medical Devices: Costs, Cold Chain Logistics, and When to Buy
Cyber Insurance for UK Tech Companies Complete Guide 7
Clinical Trial Insurance Unpacked: CTIMP, Non‑CTIMP and Device Trials