Playbook 11
Cyber insurance & law-enforcement response
After an incident, the claim and the report are their own minefield: policy sub-limits, notification deadlines, preserving evidence for law enforcement, and knowing which agency to call and when.
The hard truth
A cyber policy you never tested and an IC3 report filed a week late are two ways to turn a survivable incident into an uninsured one.
The first hour
- 1
Read the policy's notification clause — many require notice before you act.
- 2
Notify the insurer and use their approved incident-response resources.
- 3
Preserve evidence and logs in a way that supports both a claim and a report.
- 4
File with the right agency fast: FBI IC3 in the US, CAFC in Canada, plus local police for physical-safety issues.
- 5
Track every timestamp, cost, and communication from the outset.
Stop the next one
- A policy review matching sub-limits to real wire volumes and family risk.
- A pre-built incident-response contact list, insurer included.
- A tested claims-and-reporting runbook so nobody improvises mid-crisis.
- Clarity on which regulators and agencies apply to your structure.