Claims Service and Expertise

A ransomware attack can disrupt operations within minutes, but the first 72 hours are critical to controlling impact and accelerating recovery. Having a structured response plan supported by experienced partners can help businesses contain the threat, assess exposure and move forward with confidence.

Hours 0–24: Confirm the Incident and Contain the Threat

The initial response focuses on quickly validating the incident and limiting further damage.

Key Actions

• Confirm ransomware activity and identify affected systems
• Isolate impacted systems from the network to prevent further spread
• Notify your cyber insurance carrier
• Engage incident response counsel and forensic specialists
• Establish immediate communication protocols

Initial Priorities

• Identify impacted systems and business disruptions
• Begin containment and stabilization efforts
• Determine need for external recovery support

Key Executive Decision

• Approve engagement of incident response, legal and forensic partners

Hours 24–36: Assess Scope, Impact and Exposure

Once the incident is contained, focus shifts to understanding the full scope and potential exposure.

Key Actions

• Begin forensic investigation to determine entry point and affected systems
• Assess whether data exfiltration has occurred
• Evaluate backup integrity and restoration options
• Deploy security controls before reconnecting systems
• Initiate business impact analysis
• Evaluate regulatory and contractual notification requirements

Operational Focus

• Preserve evidence while progressing recovery
• Identify critical service disruptions and customer impact
• Align internal communications and stakeholder awareness

Key Executive Decision

• Evaluate strategy for potential decryption and assess information at risk

Hours 36–48: Align Strategy and Plan Recovery

At this stage, organizations begin shifting from assessment to coordinated recovery.

Key Actions

• Assess ransomware strain and threat actor behavior
• Enhance monitoring to detect persistence or lateral movement
• Develop a prioritized system restoration plan
• Reset credentials and strengthen security controls
• Initiate or manage threat actor communications through counsel
• Notify appropriate law enforcement agencies

Planning Focus

• Analyze potential downtime and operational impact
• Review legal and regulatory exposure
• Refine internal and external communication plans

Key Executive Decision

• Approve phased restoration strategy
• Determine approach to threat actor engagement, if applicable

Hours 48–72: Restore Operations and Manage Risk

The focus turns to stabilizing operations, validating recovery and managing compliance and communications.

Key Actions

• Begin phased restoration of priority systems
• Continuously validate systems to prevent reinfection
• Finalize regulatory notification timelines
• Implement coordinated internal and external messaging
• Establish cadence for ongoing oversight and reporting

By Hour 72, Organizations Should Have

• A stable environment and defined recovery strategy
• Initial understanding of legal and regulatory obligations
• A unified communication approach for stakeholders

Why the First 72 Hours Matter

A structured response during the first 72 hours can significantly reduce operational disruption, financial impact and long-term reputational risk. Coordinated engagement with experienced claims, legal and forensic professionals helps businesses navigate complex decisions with greater clarity and control.

  Ransomware Flyer

• Cyber Security

• Cyber Risk
• Loss Control