Playbook 11

Cyber insurance & law-enforcement response

After an incident, the claim and the report are their own minefield: policy sub-limits, notification deadlines, preserving evidence for law enforcement, and knowing which agency to call and when.

The hard truth

A cyber policy you never tested and an IC3 report filed a week late are two ways to turn a survivable incident into an uninsured one.

The first hour

  1. 1

    Read the policy's notification clause — many require notice before you act.

  2. 2

    Notify the insurer and use their approved incident-response resources.

  3. 3

    Preserve evidence and logs in a way that supports both a claim and a report.

  4. 4

    File with the right agency fast: FBI IC3 in the US, CAFC in Canada, plus local police for physical-safety issues.

  5. 5

    Track every timestamp, cost, and communication from the outset.

Stop the next one

  • A policy review matching sub-limits to real wire volumes and family risk.
  • A pre-built incident-response contact list, insurer included.
  • A tested claims-and-reporting runbook so nobody improvises mid-crisis.
  • Clarity on which regulators and agencies apply to your structure.

Questions we hear