Hot Metal Insurance

Hot Metal Insurance

Cyber Risk Protection
Incident Response March 2026

Your Business Just Got Breached: Now What?

Panic is natural. Panic without a plan is expensive. Here's the plan.

You just found out your business was breached. Maybe your IT person discovered unusual network activity. Maybe a customer called to say their credit card was used fraudulently. Maybe you got a ransomware screen demanding Bitcoin. However you found out, the clock is now ticking, and what you do in the next few hours matters more than anything you did before this moment.

IBM's 2024 Cost of a Data Breach Report found that organizations that contained a breach within 200 days saved an average of $1.02 million compared to those that took longer. Speed matters. But so does doing things in the right order.

This guide is organized by timeline: what to do in the first 24 hours, the first week, and the first month. Bookmark it. Print it. Tape it to the wall next to your server rack. You don't want to be reading this for the first time during an active incident.

If You Have Cyber Insurance

Call your carrier's incident response hotline before you do almost anything else. Most policies require you to use their approved vendors for forensics, legal counsel, and notification services. Hiring your own vendors without approval can void parts of your coverage. The hotline number should be on your policy declarations page. Find it now, before you need it.

24h

The First 24 Hours

Step 1: Don't Panic-Delete Everything

Your first instinct will be to shut everything down, wipe affected machines, and start over. Resist this. Wiping systems destroys forensic evidence that you'll need for the investigation, for your insurance claim, and potentially for law enforcement. The FTC specifically advises against destroying evidence during a breach investigation.

Do: Isolate affected systems by disconnecting them from the network (unplug the ethernet cable, disable Wi-Fi). Don't: Turn them off, reformat them, or delete logs.

Step 2: Assemble Your Response Team

You need three roles filled immediately, even if one person wears multiple hats:

  • 1

    Technical lead: your IT person, MSP, or the first competent technical person you can reach. They're going to assess scope and contain the damage.

  • 2

    Legal counsel: ideally someone with data breach experience. If you don't have one, your insurance carrier will assign one. If you don't have insurance, the Pennsylvania Bar Association's Lawyer Referral Service can help: (800) 692-7375.

  • 3

    Decision maker: someone with authority to approve expenses, shut down systems, and communicate with customers. In a small business, this is probably you.

Step 3: Assess What Happened

Before you can respond effectively, you need to understand the basics. Your technical lead should try to answer these questions:

  • What type of attack? Ransomware, phishing, unauthorized access, data exfiltration, or something else?
  • What systems are affected? One workstation, the email server, the entire network?
  • Is the attack still active? Are the attackers still in your systems?
  • What data was potentially exposed? Customer records, financial data, health information, employee SSNs?
  • How did they get in? Phishing email, exploited vulnerability, stolen credentials, third-party vendor?

You won't have complete answers to all of these in the first 24 hours. That's fine. Document what you know and what you don't know. "We think they got in through a phishing email but we're not sure what data they accessed" is a perfectly valid initial assessment.

Step 4: Contain the Breach

Containment means stopping the bleeding without destroying evidence. Depending on the attack type:

  • Ransomware: Isolate affected machines. Check if backups are intact and unencrypted. Do NOT pay the ransom yet. Talk to your carrier and law enforcement first.
  • Compromised email: Force password resets on all affected accounts. Revoke active sessions. Check for forwarding rules the attacker may have set up (this is commonly missed).
  • Unauthorized access: Disable the compromised credentials. Review access logs for lateral movement. Change admin passwords on critical systems.
  • Data exfiltration: Block the IP addresses involved (if identified). Preserve firewall and server logs. Begin cataloging what data was stored on affected systems.

Step 5: Document Everything

Start a breach log. A shared document or even a legal pad where you write down every action taken, when it was taken, and by whom. This documentation will be critical for:

  • • Your insurance claim (carriers will ask for a detailed timeline)
  • • Regulatory compliance (proving you responded promptly and appropriately)
  • • Law enforcement investigation
  • • Legal defense if customers or partners sue

Include timestamps, screenshots where possible, and the reasoning behind decisions. "We decided not to shut down the payment server because it would affect 200 active transactions" is useful context six months later when a regulator asks why.

Step 6: Report to Law Enforcement

File a report with the FBI's Internet Crime Complaint Center (IC3) at ic3.gov. If the attack involves ransomware, also contact your local FBI field office. Pittsburgh's is at (412) 432-4000. For significant breaches, they may be able to provide threat intelligence that helps your forensic investigation.

Law enforcement won't fix your breach, but the report creates an official record, may help identify the attackers, and some insurance policies require it.

7d

The First Week

Bring In a Forensics Team

Unless the breach was trivially small (a single phishing email with no data exposure), you need a professional forensic investigation. This isn't your IT guy running antivirus. It's a certified digital forensics firm that will image affected systems, analyze attack vectors, determine the full scope of the breach, and produce a report.

Forensic investigations typically cost $10,000–$75,000 depending on the size of your environment and complexity of the attack. That's one of the big-ticket items cyber insurance covers. According to IBM's 2024 report, detection and escalation costs (which includes forensics) averaged $1.63 million across all breaches studied.

If you have cyber insurance, your carrier will assign a forensic firm from their approved panel. Using an unapproved firm can mean paying out of pocket even if you have coverage.

Understand Your Legal Notification Obligations

Every U.S. state has a data breach notification law, and they're all slightly different. Here's what matters if you're a Pennsylvania business:

Pennsylvania Breach Notification (73 P.S. § 2303)

  • Who must be notified: Any Pennsylvania resident whose unencrypted personal information was accessed
  • What triggers notification: Unauthorized access to computerized data containing name + SSN, driver's license number, or financial account numbers
  • Timeline: "Without unreasonable delay." Pennsylvania doesn't specify an exact number of days, but courts have generally interpreted this as within 30–60 days of discovering the breach
  • Method: Written notice, electronic notice, or substitute notice (if cost exceeds $100,000 or affected class exceeds 175,000 people)
  • State AG notification: Not explicitly required by statute, but recommended for large breaches

If you have customers in other states, their notification laws apply too. Some are stricter:

  • New York (SHIELD Act): Broader definition of personal information, requires "reasonable security" measures
  • California (CCPA/CPRA): 72-hour notification to AG for certain breaches, private right of action for consumers
  • Texas: 60-day notification deadline, AG notification required for 250+ affected residents
  • Ohio: 45-day deadline, AG notification required for 1,000+ affected residents

If you handle health information, HIPAA requires notification within 60 days. If more than 500 people are affected, you must also notify HHS and "prominent media outlets" serving the affected area. PCI-DSS has its own notification requirements for payment card data.

Draft Your Communications

You'll need to notify affected customers, and how you do it matters as much as the notification itself. The two biggest mistakes we see:

Wrong Way

"We take your security very seriously. We recently identified a security incident that may have involved some of your information. We have taken steps to address the situation."

Generic, vague, corporate. Tells the customer nothing useful and sounds like you're hiding something.

Better Way

"On February 12, an unauthorized party accessed our customer database containing names, email addresses, and phone numbers. Payment information was not affected. Here's exactly what happened, what we've done, and what you should do."

Specific, honest, actionable. Your customers will respect directness even if they're upset.

Have your legal counsel review all communications before they go out. If your cyber policy includes crisis communications coverage, use it. Professional PR guidance during a breach is genuinely valuable.

When Cyber Insurance Kicks In

If you have cyber insurance, here's what a typical claims process looks like during the first week:

  1. 1

    Initial call: You call the incident response hotline. A breach coach (specialized attorney) is assigned within hours.

  2. 2

    Forensics engagement: The breach coach assigns a forensic firm from the carrier's panel. They typically begin work within 24–48 hours.

  3. 3

    Scope assessment: The forensic team provides an initial assessment of the breach scope, usually within 3–5 days.

  4. 4

    Notification planning: Legal counsel helps determine notification obligations and drafts notification letters.

  5. 5

    Business interruption: If your operations are impacted, document all lost revenue and extra expenses. Your carrier will need this for the BI portion of the claim.

The IBM 2024 report found that organizations with cyber insurance paid an average of $5.17 million per breach versus $5.45 million for those without. The savings aren't just in direct payments. Insured organizations tend to respond faster because they have immediate access to experienced breach response teams.

30d

The First Month

Execute Notifications

By now, you should have a clear picture of what data was compromised and who was affected. It's time to send notifications. For a typical breach involving customer PII, your notification package should include:

  • • A clear description of what happened and when
  • • Specifically what data was involved
  • • What you've done to address the breach
  • • What the affected person should do (monitor accounts, change passwords)
  • • Contact information for questions
  • • Information about credit monitoring or identity theft protection you're offering

Credit monitoring services for breach victims typically cost $2–$5 per person per month for 12–24 months. For 1,000 affected individuals, that's $24,000–$120,000 . Another cost that cyber insurance absorbs.

Remediate and Rebuild

Once the forensic investigation identifies how the attackers got in and what they did, you need to close the holes and rebuild affected systems:

  • Patch the entry point: whether it was a vulnerable VPN, an unpatched server, or a phishing-susceptible email system
  • Reset all credentials: not just the compromised ones. Attackers often create backdoor accounts
  • Rebuild affected systems from known-good backups or fresh installs
  • Implement MFA if you haven't already (most carriers will require this for renewal after a claim)
  • Review access controls: does everyone really need admin access? The answer is almost always no

Note: remediation and security improvement costs are generally NOT covered by cyber insurance. Your policy pays for the breach response, but upgrading your security afterward is on you. Think of it like car insurance: they'll fix the damage from the accident, but they won't buy you new tires.

Conduct a Post-Incident Review

Once the immediate crisis is handled, sit down with everyone involved and honestly assess what happened:

  • Detection: How long did it take to discover the breach? IBM's 2024 report found the average time to identify a breach was 194 days. If you found yours faster, that's good. If it took longer, figure out why.
  • Response: Did you have an incident response plan, and did you follow it? If not, what would have helped?
  • Communication: Were notifications timely and clear? Did you have the right contact information for your insurance carrier, legal counsel, and forensic firm?
  • Prevention: What specific security controls would have prevented or limited this breach? Prioritize and budget for them.

How Real Breaches Play Out

Theory is useful, but seeing how actual breaches unfolded helps you understand what you're really facing. These are based on publicly reported incidents.

Case: Small Medical Practice: Ransomware

What happened: A three-physician dermatology practice in suburban Philadelphia had their EHR system encrypted by ransomware in 2023. The attackers gained access through a Remote Desktop Protocol (RDP) port left open on the internet. Ransom demand: $180,000 in Bitcoin.

Total cost: Approximately $340,000 including forensics ($35,000), HIPAA notifications for 8,400 patients ($42,000), credit monitoring ($201,600 at $2/person/month for 12 months), legal counsel ($28,000), lost revenue during three weeks of downtime ($33,000), and system rebuilding. They did not pay the ransom. Backups were intact, though restoring took 11 days.

Insurance covered: $295,000 of the total cost under a $500,000 cyber liability policy with a $10,000 deductible. Annual premium had been $3,800.

Case: Regional Law Firm: Business Email Compromise

What happened: An attorney at a 20-person firm received what looked like a DocuSign email from a client. After clicking the link and entering credentials, the attacker had access to the attorney's email account for 19 days before detection. During that time, the attacker intercepted a real estate closing communication and redirected a $387,000 wire transfer to a fraudulent account.

Total cost: The $387,000 wire transfer was not recoverable (the FBI's Recovery Asset Team successfully recovers only about 29% of BEC wire transfers, per the 2024 IC3 report). Additional costs included forensic investigation ($22,000), client notification ($8,000), and legal defense against the client's malpractice claim ($65,000 and counting).

Insurance outcome: The firm's cyber policy covered forensics and notification costs. However, the wire transfer loss was only partially covered because their social engineering fraud sublimit was $100,000. They'd chosen the cheaper option during underwriting. The malpractice claim was covered under their professional liability policy, not their cyber policy.

Case: Manufacturing Company: Supply Chain Attack

What happened: A 150-employee precision machining company in western PA discovered that their ERP system had been compromised through a vulnerability in a third-party software component. Attackers exfiltrated customer order data, including specifications for components used in defense contracts.

Total cost: Beyond the direct breach costs of approximately $180,000, the company lost a $2.1 million annual defense contract because the breach meant they could no longer meet CMMC compliance requirements. It took 14 months to remediate systems and re-achieve compliance.

Lesson: Cyber insurance covered the breach response costs but not the lost contract. That's consequential revenue loss, not business interruption from system downtime. The distinction matters, and it's worth understanding before you need it.

What Cyber Insurance Covers During a Breach (and What It Doesn't)

Expense Typical Cost Usually Covered?
Forensic investigation $10K–$75K Yes
Legal counsel (breach coach) $15K–$50K Yes
Customer notification (printing, mailing) $2–$5 per person Yes
Credit monitoring services $2–$5/person/month Yes
Business interruption (lost revenue) Varies widely Yes*
Ransomware payment $10K–$1M+ Sometimes
Regulatory fines and penalties $10K–$1M+ Varies
Security upgrades post-breach $5K–$200K+ No
Lost future contracts/revenue Varies No
Reputational damage Incalculable No

*Business interruption coverage typically requires system downtime, not just reduced customer activity. Coverage specifics vary by policy.

What You Should Have Ready Before a Breach

Reading this article after a breach is better than not reading it. Reading it before a breach is even better. Here's a checklist of things to prepare now:

  • Incident response plan: even a one-page document with roles, contacts, and basic procedures
  • Insurance carrier hotline number: printed and accessible, not buried in a PDF on the server that might be encrypted
  • Data inventory: know what personal data you store, where it lives, and how it's protected
  • Backup verification: test your backups monthly. Untested backups aren't backups, they're hopes
  • Key contacts list: IT support, legal counsel, insurance agent, PR firm (printed, not just digital)
  • Notification templates: pre-drafted customer and regulatory notification letters (have legal counsel review them now)

Need Help Building a Breach Response Plan?

We've walked dozens of Pittsburgh businesses through breach response planning. Having a plan before you need it is always cheaper than figuring it out during a crisis.

Let's Talk

Related Reading

Getting Started

Does My Business Really Need Cyber Insurance?

An honest look at whether it makes sense for your business size and industry.

 Costs & Coverage

How Much Does Cyber Insurance Actually Cost?

Real price ranges by business size, plus what drives your premiums up or down.