When a Galway professional services firm discovered ransomware on a Monday morning, the first two calls they made were to their IT provider and their office manager. The call to their cyber insurer happened on Wednesday — three days after discovery. By that point, the firm's forensic window had been partially contaminated by well-meaning attempts to restore systems, and the policy's 24-hour notification requirement had been missed. The insurer accepted the claim on humanitarian grounds but reduced the payout by 30%, citing the notification breach as a contributing factor to the increased recovery cost.
For Irish SMEs, a cyber incident is a matter of when, not if. When it happens, a swift and coordinated response determines both the operational outcome and whether your cyber insurance policy pays out fully. The two — incident response and cyber insurance — are not separate concerns. They need to be integrated before a crisis occurs.
Why an Incident Response Plan Matters to Your Insurer
An incident response plan is your organisation's documented procedure for detecting, containing, recovering from, and learning from a cyberattack. For Irish businesses, it is both a regulatory requirement under NIS2 and GDPR, and a warranty condition in most current cyber insurance policies.[^1]
Insurers look at incident response plans for the same reason they look at fire suppression systems in commercial properties. A business that can contain and extinguish an incident quickly costs the insurer far less than one that lets the fire spread. The existence of a tested incident response plan demonstrates that your organisation has thought through how it will respond — and that thinking reduces claim costs.
A plan that exists but has never been tested provides limited assurance. Insurers increasingly ask during the underwriting process whether your IRP has been exercised through tabletop simulations or live drills. A plan tested under controlled conditions reveals gaps that a real incident would expose at far higher cost.
Does your business have an incident response plan — and does it include your cyber insurer's claims notification number? Book a free 20-minute strategy call — we'll review your current IRP against your insurance obligations and identify what needs to be added.
The Critical First Hours
The moment a cyber incident is confirmed — whether ransomware encryption, a suspected data breach, or a system compromise — the clock starts. Most cyber insurance policies require notification within 24 to 72 hours. Missing this window can void coverage or result in reduced payouts, as the Galway firm discovered.
Your incident response procedure should make the insurer notification a mandatory step that happens in parallel with technical containment, not after recovery is complete. The insurer should be notified even before the full scope of the incident is known. You are not making a formal claim at that point — you are fulfilling the notification obligation that preserves your right to claim.
During an active incident, your insurer's panel of pre-approved vendors becomes important. Many cyber insurance policies have a list of approved forensic investigators, legal counsel, and crisis communications firms. Using vendors from this panel keeps their costs within the policy coverage. Engaging an external forensic firm that is not on the approved list — even a competent one — can result in those costs being disallowed. Your incident response plan should list your insurer's approved vendors before an incident occurs, not during one.
An Garda Síochána's National Cyber Crime Bureau should be notified of significant cybercrime incidents. If your business has suffered a ransomware attack or data theft with an identifiable criminal element, reporting to the Garda NCCB creates an official record and may support broader investigations. The notification to Garda NCCB is separate from your DPC breach notification obligation.[^2]
GDPR and NIS2 Notification Requirements
GDPR requires that personal data breaches be reported to the Data Protection Commission within 72 hours of the organisation becoming aware of them. This obligation is separate from your cyber insurance notification. If your incident involved personal data — which it almost always does when email, customer records, or booking systems are affected — your legal team and DPC notification process must run in parallel with your technical response and your insurer notification.
The Data Protection Commission expects that the 72-hour notification is made even when the full scope of the breach is not yet known. You update the notification as more information becomes available. Attempting to delay notification until the incident is fully understood is a compliance risk — the DPC can treat late notification as a separate breach of GDPR.[^3]
NIS2 has additional reporting requirements for businesses in scope. NCSC Ireland, as the competent authority for NIS2 in Ireland, requires early warning of significant incidents within 24 hours, a full notification within 72 hours, and a final report within one month. If your business is in scope or supplies to regulated entities, your incident response plan must reflect these timelines explicitly.
Post-Incident Recovery and Claims
Once containment and initial recovery are under way, the claims process begins in earnest. Your ability to claim successfully depends heavily on the documentation you maintain during the incident. Every decision, every cost, every vendor engagement should be logged contemporaneously — not reconstructed from memory after the fact.
Keep records of the staff hours spent on incident response, the invoices from any vendors engaged, the communications with regulators, and the evidence collected by your forensic investigators. This documentation forms the basis of your claim, and gaps in it give the insurer grounds to question specific cost items.
Post-incident review is both good practice and insurer expectation. Once recovery is complete, document what went wrong, what your response plan got right, what it got wrong, and what you have changed as a result. Sharing this review with your insurer and broker at renewal demonstrates that your security posture has improved — which can influence premium negotiations.
The organisations that recover fastest from cyber incidents are those that practised their response before the incident occurred. An untested plan is a hypothesis, not a procedure.
Three Integration Steps
These steps connect your incident response planning with your insurance obligations before a crisis occurs.
Add your cyber insurer's claims notification number and your broker's emergency contact to your incident response procedure. Print it, laminate it, and put it somewhere physically accessible to senior staff. In a ransomware attack, your email system may be down. The notification number needs to be reachable without opening a laptop.
Schedule a one-hour tabletop exercise with your senior team in the next 90 days. Present a scenario — ransomware discovered on a Monday morning — and walk through who does what, in what order, and who makes which external notifications. The exercise will reveal gaps in your plan that are far cheaper to fix now than during a real incident.
At your next cyber insurance renewal, ask your broker to provide the list of pre-approved vendors for forensic investigation, legal response, and crisis communications. Incorporate those names into your incident response plan. If an incident occurs, you know who to call without searching for the list.
Related Reading
- Building an Incident Response Plan for Irish SMEs
- Cyber Insurance Claims Denied: Three Irish SME Scenarios
- Cyber Insurance Proactive Insurability
[^1]: NCSC Ireland — Incident response requirements and NIS2 notification obligations for Irish organisations: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána — Reporting cybercrime incidents to the National Cyber Crime Bureau: https://www.garda.ie/en/crime/cyber-crime/ [^3]: Data Protection Commission Ireland — GDPR breach notification requirements and timelines: https://www.dataprotection.ie
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.