Who to call, in what order, on what channels

Use out-of-band communication only

Before any notification: assume your email, Slack, Teams, and corporate phone systems are compromised. Attackers frequently maintain access during the response phase specifically to monitor your communications, anticipate your moves, and identify additional targets within your organization.

Switch to communication channels the attacker cannot see:

• Personal phones and personal email for incident coordination — not corporate
• Signal or another end-to-end encrypted messaging app for sensitive discussions
• In-person meetings where possible
• A new, separate communication channel set up specifically for the incident response team

Treat all corporate channels as monitored until forensics has confirmed they're clean. Yes, this is operationally painful. It's also the difference between a contained incident and a much worse one.

Notification order — who and when

1. Your cyber insurance carrier — first call

Almost every cyber insurance policy contains a prompt notification requirement, usually 24 to 72 hours. Miss that window and you can lose coverage entirely. Call your broker or carrier directly from a personal phone, identify the incident, and follow their instructions exactly.

Most policies will activate a pre-approved panel of:

• Breach counsel — outside legal counsel specialized in cyber incidents
• Incident response and digital forensics firm
• Ransom negotiator if needed
• Crisis communications/PR firm

Use the panel. Insurance carriers have negotiated rates with these firms, and their work product is what your claim will be built on. Engaging your own outside firms before involving the carrier can result in expenses not being covered.

2. Outside legal counsel — established under privilege

If your insurance carrier hasn't assigned breach counsel yet, engage your own outside cybersecurity attorney immediately. All subsequent forensic work should be performed under attorney-client privilege — this protects the work product from discovery in any later litigation.

Your in-house counsel or general business attorney is not a substitute. Cyber breach response is a specialized legal practice with specific case law around privilege, notification obligations, and regulatory exposure.

3. Internal incident response team and executive leadership

Convene the formal incident response team — IT, security, legal, communications, and an executive sponsor. Decisions about ransom payment, public communications, and notification scope are executive decisions, not IT decisions. Get leadership in the loop on day one.

Limit the circle. The fewer people who know the details, the lower the risk of leaks, panic, or attackers learning your response strategy.

4. Law enforcement

Report the incident to the FBI through the Internet Crime Complaint Center (IC3.gov) and to your local FBI field office. For NYC, that's the New York Field Office; for Connecticut, the New Haven Resident Agency. CISA also accepts reports and can provide technical assistance.

Concerns about reporting are common but largely misplaced:

• The FBI does not publicly disclose victims and does not require you to make any public statement
• Reporting may be required by your cyber insurance policy or by regulations like NYDFS Part 500
• The FBI sometimes has decryption keys for known ransomware variants that they can provide to victims
• Reporting contributes to investigations that disrupt the threat groups attacking other businesses

5. Employees — once you have a coordinated message

Employees will know something is wrong long before you formally tell them. Get ahead of the rumor mill with a brief, accurate, controlled message. Do not over-explain or speculate about scope while the investigation is ongoing.

What to communicate:

• That a cybersecurity incident is being managed
• What specific systems are unavailable and what they should do as a workaround
• Not to discuss the incident outside the company
• To direct any external inquiries (media, vendors, clients) to a designated spokesperson

6. Customers, partners, and the public — last, and only with counsel review

External notification is the most consequential step in this sequence. Premature notification creates legal liability if your facts change later. Late notification can violate regulatory requirements and damage trust permanently.

External communication should:

• Be drafted by breach counsel
• Be reviewed by your insurance carrier and crisis communications firm
• Reflect what you actually know — not what you suspect
• Include only the information legally required and operationally necessary
• Provide a clear point of contact for follow-up questions

The ransom decision is not made at this stage

If the attackers have left a ransom demand, do not respond, do not pay, and do not engage. The decision to pay or not pay involves your insurance carrier, breach counsel, OFAC sanctions analysis, ransom negotiators, and executive leadership. It's a structured decision made under privilege, not a frantic individual choice in the first hours.

Paying ransom can violate OFAC sanctions if the attackers are on the sanctions list. Many recent ransomware groups are. Penalties for sanctions violations apply regardless of intent. This is why ransom decisions go through specialized negotiators who handle OFAC compliance.

What's next: Step 6: Legal & Compliance

Once you've completed this step, the next priority is assessing the legal and compliance impact of the breach. That's covered in Step 6 of this guide.