My Cyber Insurance Wake-Up Call: Why Your Insurer Should Be Your First IR Phone Call
I need to admit something embarrassing.
For three years, I've been paying nearly nine grand annually for cyber insurance at our Dublin professional services firm. And until six weeks ago, I couldn't tell you the name of a single person at our insurance company. Not one. I knew the policy number. I knew the coverage limits. I knew exactly where the PDF was saved in our document management system.
What I didn't know was that I'd been ignoring the single most valuable incident response resource we had.
How a Podcast Episode Changed My Approach
Right, so here's the backstory. I've been listening to The Small Business Cyber Security Guy podcast for months now. Started as background noise during my commute from Drumcondra into the city centre. Then it became required listening. Then I started commenting on the blog posts with increasingly desperate questions about implementing enterprise security on SMB budgets.
Three months ago, Noel Bradford reached out directly. Offered mentorship. I nearly deleted the email, thinking it was sophisticated phishing.
Yeah, yeah, yeah. I'm an IT professional who almost deleted a legitimate mentorship offer because my threat model was too good. The irony wasn't lost on me.
Noel's first challenge: "Tell me about your cyber insurance policy. Not the coverage limits. The actual relationship with your insurer. When did you last speak with them?"
Silence. Uncomfortable silence.
Noel's follow-up: "Right. So you're paying for an incident response team, forensics specialists, legal experts, and crisis communications support. And you've never introduced yourself. That's like hiring bodyguards and not telling them where you live."
He wasn't wrong.
What's Actually In Your Cyber Insurance Policy
I spent the next two days properly reading our policy for the first time since I'd inherited it from my predecessor. Not the summary. The actual policy document. All forty-seven pages of dense insurance language made my eyes hurt.
Buried in sections I'd previously skimmed past were services I'd been trying to budget for separately:
Pre-incident services, our policy included:
Annual incident response plan review (we didn't have a plan for them to review)
Tabletop exercise facilitation (I'd been quoted €4,200 (£3,500) for this from consultants)
Quarterly vulnerability assessments (saving us roughly €7,200 (£6,000) annually)
Security awareness training materials (basic, but better than nothing)
Access to forensics retainer pricing (massive discount compared to emergency rates)
Incident response support:
24/7 breach hotline with a 15-minute response time commitment
Immediate forensics team deployment
Legal specialists familiar with UK/Ireland data protection law
Crisis communications support
Regulatory notification assistance
Credit monitoring services for affected individuals
I'd been pricing incident response retainers separately. Twelve grand annually for basic coverage. Eighteen grand for the tier I actually needed.
I was already paying for this.
The "Treat Your Insurer as an IR Partner" Implementation
Following Noel's advice, I scheduled a call with our insurance broker. Explained I wanted to introduce myself to our actual insurance company's incident response team. The broker sounded genuinely surprised. Apparently, most policyholders only call when there's a claim.
Twenty minutes later, I was on a video call with three people from our insurer's cyber team:
Sarah, the incident response coordinator
Michael, technical forensics lead
Claire, legal and regulatory specialist
Sarah's first question: "Do you have an incident response plan?"
My honest answer: "I have a Word document with some phone numbers and a flowchart I drew in Visio three years ago."
Sarah's response: "Perfect. Let's fix that together."
What Actually Happened When I Engaged Pre-Incident
Here's the implementation timeline and actual costs for what we accomplished in six weeks:
Week 1: Initial Engagement (0 hours, €0 (£0))
Video introduction with the insurance IR team
Shared our existing "plan" (they were very polite about it)
Scheduled gap assessment for week 3
Hidden value discovered: Sarah sent me their standard IR plan template. Proper NCSC-aligned framework. Would have cost me £2,500 from a consultant. Included in policy.
Week 2: Plan Development (8 hours internal time, €0 (£0) external)
Used the insurance template to rebuild our IR plan
Mapped our existing tools and processes to the NCSC framework
Identified gaps in our current capabilities
Created proper contact trees (not just a list of mobile numbers)
Reality check: My original plan had our solicitor's office number. Not her mobile. Not her emergency contact. Her office number. Which goes to voicemail after 17:30. Yeah, yeah, yeah. I know. That breach would have gone brilliantly.
Week 3: Gap Assessment (4 hours internal time, €0 (£0) external)
Video call with Michael (forensics lead) reviewing our infrastructure
Identified logging blind spots
Discussed evidence preservation procedures
Reviewed our backup and recovery capabilities
Uncomfortable discovery: We had no formal evidence preservation process. If we'd had an incident, I would have been making it up as I went. Under stress. At 3 am. While panicking.
Michael walked me through their standard evidence collection procedures. Sent me scripts. Documented chain of custody requirements.
Consultant equivalent cost: €4,800 (£4,000) for this level of forensic consultation. Included in policy.
Week 4: Tabletop Exercise Scheduling
Booked a tabletop exercise for week 6
The insurance team provided a scenario (ransomware)
Invited our senior partners and office manager
Insurance team facilitating, no external consultant needed
Budget impact: I'd previously been quoted €4,200 (£3,500) for external tabletop facilitation. Included in policy.
Week 5: Pre-Tabletop Preparation (6 hours internal time)
Updated IR plan based on gap assessment findings
Fixed logging blind spots Michael identified
Created evidence preservation procedures
Briefed partners on the tabletop exercise format
Unexpected benefit: Our managing partner read the updated IR plan. Actually read it. Asked intelligent questions. Approved immediate spend on two critical gaps we'd identified. First time I'd got security budget approved without three months of justification meetings.
Week 6: Tabletop Exercise (3 hours internal time, €0 (£0) external)
Simulated ransomware scenario affecting client data
The insurance team facilitated and observed decision-making
Identified communication breakdowns in real-time
Documented lessons learned
What we discovered:
Our notification procedures were rubbish (we would have violated GDPR timelines)
Our backup restoration process had never been tested at scale (would have failed)
Nobody knew who had the authority to authorise ransomware payment (critical gap)
Our crisis communication plan assumed email would work (during an email compromise incident)
Brutal honesty moment: We would have absolutely cocked up a real incident. The tabletop revealed gaps we didn't even know existed.
The Budget Reality Nobody Talks About
Here's what this would have cost if I'd bought these services separately:
| Service | Consultant Cost | Insurance Included |
|---|---|---|
| IR Plan Development | €3,000 (£2,500) | ✓ |
| Forensics Consultation | €4,800 (£4,000) | ✓ |
| Tabletop Exercise | €4,200 (£3,500) | ✓ |
| Quarterly Vulnerability Scans | €7,200 (£6,000)/year | ✓ |
| Gap Assessment | €2,400 (£2,000) | ✓ |
| Total | €21,600 (£18,000) | £0 additional |
Our annual cyber insurance premium: €10,200 (£8,500).
We were getting €21,600 (£18,000) in pre-incident services for free. And I'd been ignoring them for three years while trying to budget for incident response capabilities separately.
Right, so I felt like a complete idiot. Still do, actually.
How to Actually Implement This (The Stuff I Wish Someone Had Told Me)
Step 1: Find Your Actual Insurance Contacts (30 minutes)
Don't just email your broker. Get the direct contact information for:
Breach notification hotline (the 24/7 number you'll call during an incident)
Incident response coordinator name and email
Technical team contact
Legal/regulatory specialist contact
Pro tip: Save these in your phone. Right now. Not in a document. In your actual phone contacts. When you're handling a breach at 2 am, you're not hunting through SharePoint for a PDF.
Step 2: Schedule Introduction Call (1 hour)
Book a video call with your insurance IR team. Not a crisis. Just an introduction.
What to cover:
Your organisation profile (size, sector, key systems)
Current security posture (be honest)
Existing IR capabilities (or lack thereof)
Request their standard IR plan template
Schedule gap assessment
What NOT to do: Pretend you have your security sorted. They're going to find out during the gap assessment anyway. Sarah told me they appreciate honesty upfront far more than discovering gaps during an actual incident.
Step 3: Conduct Proper Gap Assessment (4-6 hours)
Let the insurance technical team review your environment:
Logging and monitoring capabilities
Evidence preservation procedures
Backup and recovery processes
Communication procedures
Regulatory notification workflows
This will hurt. They found gaps I didn't even know were possible. But better to find them during a scheduled call than during an actual breach.
Step 4: Update Your IR Plan (8-12 hours)
Use the insurance template to rebuild your incident response plan properly:
Map to framework (I like the UK’s NCSC) (your insurer's template should align)
Include insurance contacts prominently (they're your first call)
Document evidence preservation (critical for claims and legal)
Create communication trees (not just lists of numbers)
Define authority levels (who can approve what spend)
Integration point: Your IR plan should explicitly include "Contact insurance IR team" as step one. Not step five. Not "if incident is serious." Step bloody one.
Step 5: Schedule Tabletop Exercise (Minimum Annually)
This is the bit that actually tests whether your plan works:
Insurance team facilitates (use them, it's included)
Include decision-makers (partners, board, senior management)
Use realistic scenarios (your insurance team has dozens)
Document gaps discovered
Update plan based on findings
Our tabletop revealed problems I never would have anticipated. The backup restoration failure? That was a €48,000 (£40,000) problem we discovered during a simulation instead of a real incident.
Step 6: Maintain the Relationship (Quarterly minimum)
Don't wait for an incident. Regular engagement with the insurance IR team:
Quarterly check-ins on emerging threats
Annual plan review and updates
Policy renewal discussions focused on coverage gaps
Threat intelligence sharing
Unexpected benefit: Our insurance premium actually decreased at renewal. Apparently, demonstrating mature incident response capabilities reduces their risk. Who knew?
What This Looks Like During an Actual Incident
We haven't had a major incident since implementing this approach (touch wood). But we did have a potential compromise two weeks ago. Suspicious email activity. Possible credential theft. Could have been nothing. Could have been the start of something serious.
Old Seamus response:
Panic slightly
Start investigating alone
Document everything in a Word doc
Hope it's nothing
Call insurance only if it becomes a reportable breach
New Seamus response:
Called Sarah (insurance IR coordinator) immediately
Conference call with Michael (forensics) within 20 minutes
Followed evidence preservation procedures we'd practised
Made containment decisions with expert guidance
Documented everything properly for a potential claim
Outcome: False alarm. Legitimate user behaviour that looked suspicious. But the response was professional, measured, and properly documented. If it had been real, we'd have been hours ahead of where we would have been before.
Cost of the call to insurance: £0. It's included in the policy.
The Bits That Still Need Work
Right, so I'm not pretending we're perfect. Six weeks of implementation haven't solved everything:
Still struggling with:
Getting users actually to follow new procedures (ongoing cultural battle)
Testing backup restoration at scale (scheduled for next month, finally)
Automating evidence preservation (currently too manual)
Keeping the IR plan updated as systems change (need a quarterly review process)
Lessons I'm still learning:
Tabletop exercises reveal different gaps each time (plan to run quarterly)
The insurance team's knowledge is sector-specific (they understand professional services risks)
Pre-incident relationships matter enormously for claim approval speed
What I'd do differently:
Engage the insurance IR team immediately upon policy purchase (not three years later)
Schedule tabletop exercises annually in the contract (make it mandatory)
Include insurance forensics costs in the IR plan budget assumptions
Test the 24/7 breach hotline before you need it (we did, it actually works)
How to Turn This Into a Competitive Advantage
Here's the bit that makes this strategic rather than just compliance:
1. Client Pitch Differentiator
When pitching professional services to regulated clients, our incident response capabilities became a selling point:
What we can now say: "Our incident response plan is reviewed quarterly by our cyber insurance provider's specialist team. We conduct annual tabletop exercises with forensics experts. Our breach notification procedures are tested against GDPR timelines."
Competitor response: "We have cyber insurance." (They probably don't even know their insurance coordinator's name.)
Competitive advantage: Clients in regulated sectors care deeply about supply chain security. Demonstrating mature IR capabilities wins pitches.
2. Insurance Premium Reduction
Our renewal premium decreased by 8% because we could demonstrate:
Documented IR plan aligned to Best
Regular tabletop exercise program
Pre-incident engagement with the insurance IR team
Quarterly vulnerability assessments completed
ROI calculation: €816 (£680) annual saving on €10,200 (£8,500) premium. Plus €21,600 (£18,000) in included services. Total value: €22,416 (£18,680) annually.
3. Faster Incident Recovery
The real competitive advantage isn't prevention (everyone gets breached eventually). Its recovery speed:
Without insurance, an IR partnership:
Scramble to find a forensics firm during the incident
Pay emergency rates (3-5x normal pricing)
Hope they're available immediately
Unknown quality of the response team
Potential delays during the critical first hours
With insurance IR partnership:
Pre-negotiated forensics team on standby
Included in policy, no emergency rate premium
Guaranteed response time (15 minutes for our policy)
The team is already familiar with our environment
Seamless escalation from the first call
Business impact: Every hour of downtime costs our firm approximately €5,000 (£4,200) in lost billable time. Faster incident response directly protects revenue.
4. Regulatory Compliance Positioning
Under GDPR and upcoming UK cyber legislation, demonstrating "appropriate technical and organisational measures" includes incident response capabilities:
Our position: Documented IR plan, tested procedures, specialist team on retainer (through insurance), regular tabletop exercises.
ICO assessment during breach investigation: Far more favourable than "we have cyber insurance but never engaged with them."
Director liability protection: UK directors increasingly face personal liability for cybersecurity negligence. Demonstrating mature IR planning provides evidence of reasonable care.
How to Sell This to Your Board
Here's the conversation I had with our managing partner after implementing this. Verbatim email thread because it worked:
My email:
Subject: Cyber Insurance Discovery - €21.6k Value We're Not Using
I've spent the past six weeks properly engaging with our cyber insurance provider instead of treating them as a policy document.
Discovery: We're paying €10,200 annually for incident response services worth €21,600 if purchased separately. We've never used them.
I've now implemented:
Proper IR plan (Best Practise-aligned) Gap assessment revealing critical findings Tabletop exercise scheduled Direct contacts with specialist IR team
Two asks:
Approval for €3,840 spend to fix gaps identified in assessment 30 minutes at next partnership meeting to brief on IR procedures
ROI: Potential 8-15% insurance premium reduction at renewal. Faster incident recovery protecting €5,000 hour in billable time.
Managing partner response (2 hours later):
Both approved. Schedule the meeting.
Why didn't we do this three years ago?
My response:
Because I didn't know it was possible. I do now.
Board Presentation Framework
When you present this to your board, trustees, or senior partners:
Problem Statement (30 seconds): "We're paying for incident response capabilities we're not using. Our current approach treats cyber insurance as risk transfer only. We're leaving £X in value unused while budgeting separately for services already included."
Evidence (1 minute):
Show the policy schedule of included services
Compare to the quotes you've received for the same services
Calculate the annual value of unused benefits
Implementation (1 minute):
Six-week timeline for full engagement
Internal time investment (approximately 25-30 hours total)
External cost (£0, all included in existing policy)
Risk Reduction (1 minute):
Tabletop exercise findings (specific gaps discovered)
Incident response time improvement (hours to minutes)
Regulatory compliance positioning improvement
Financial Benefit (30 seconds):
Premium reduction potential (8-15% typical)
Services value already paid for (€X annually)
Downtime cost reduction (€X per hour of faster recovery)
Ask (30 seconds):
Approval to engage the insurance IR team immediately
Budget approval for critical gaps identified
Quarterly board briefing on IR preparedness
Expected objections and responses:
"We've never had a major incident." Response: "Correct. Which is why now is the perfect time to prepare. Insurance IR teams are most effective when engaged before an incident, not during panic."
"This sounds expensive." Response: "All services are included in our existing policy. Zero additional cost. We're currently paying for a specialist IR team we're not using."
"We don't have time for this." Response: "Approximately 30 hours internal time over six weeks. Compare to 300+ hours during an unplanned incident response without specialist support."
"Can't this wait until renewal?" Response: "Our policy includes these services now. Every month we delay is unused value we've already paid for. Additionally, demonstrating mature IR capabilities before renewal improves our negotiating position."
What This Means for Your Business
If you have cyber insurance (and if you're an Irish or UK SMB handling any personal data, you should), you're probably making the same mistake I was.
You're paying for incident response capabilities you're not using.
Three specific actions for this week:
1. Find Your Insurance IR Contacts (Today)
Open your policy documents
Locate the breach notification section
Find the 24/7 incident response number
Save it in your phone under "CYBER INCIDENT HOTLINE"
Get the name and email of your IR coordinator
Time required: 15 minutes Cost: €0 (£0) Value: First step to €21,600 (£18,000) in included services
2. Schedule Introduction Call (This Week)
Email your broker requesting an introduction to the insurance IR team
Request standard IR plan template
Schedule gap assessment
Ask about included pre-incident services
Time required: 30 minutes Cost: €0 (£0) Expected outcome: Discovery of services you're paying for but not using
3. Audit Your Current IR Plan (Next Week)
Locate your existing incident response plan (if you have one)
Check the last update date
Verify contact information is current
Confirm the insurance IR team is included in the contact tree
Test that your 24/7 incident hotline actually works
Time required: 1-2 hours Cost: €0 (£0) Uncomfortable discovery: Your IR plan probably has outdated contact information and doesn't include insurance resources
A Final Thought on Implementation Reality
Right, so I need to be honest about something. This implementation wasn't smooth.
The gap assessment was brutal. Michael (forensics lead) found problems I didn't even know were possible. Our backup restoration process hadn't been tested in two years. Our evidence preservation procedures were nonexistent. Our communication plan assumed email would work during an email compromise incident.
I felt incompetent. Like I'd been failing at my job for three years without realising it.
Sarah's response when I expressed this: "Every single organisation we assess feels this way. The difference is you're fixing the gaps before an incident, not discovering them during one."
The tabletop exercise was worse. Watching our senior partners struggle through a simulated ransomware incident, realising our procedures wouldn't work, and seeing decision-making collapse under pressure simulation.
But here's the critical bit: We discovered all of this during a scheduled exercise with specialist support. Not during a real incident at 3 am while our clients' data was being exfiltrated.
Noel's perspective when I reported back: "Discomfort during preparation is far cheaper than disaster during an incident. You're building muscle memory before the fire, not during it."
He wasn't wrong.
Six weeks ago, I was paying for incident response capabilities I didn't even know existed. Today, I have a tested IR plan, a specialist team that knows our environment, documented procedures, and the confidence that comes from having practised under realistic conditions.
Most importantly, I discovered that cyber insurance isn't about transferring risk to someone else. It's about partnering with specialists who've handled hundreds of incidents to ensure yours goes as smoothly as possible.
Yeah, yeah, yeah. I should have figured this out three years ago.
But I know now. And if you're reading this thinking, "I'm making the same mistake Seamus was," then you can fix it faster than I did.
Your insurance IR team is waiting for your call. They've been waiting since you bought the policy.
Go introduce yourself. Today.
| Source | Article |
|---|---|
| NCSC | Incident Management Guidance |
| Data Protection Commission (Ireland) | Personal Data Breaches - GDPR Requirements |
| Insurance Ireland | Cyber Insurance Market Overview 2024 |
| Department of Enterprise, Trade and Employment | National Cyber Security Strategy |
| NCSC | 10 Steps to Cyber Security |
| Marsh McLennan | Irish Cyber Insurance Market Trends 2024 |
| Data Protection Commission (Ireland) | SME Hub: Preparing for Personal Data Breaches |
| NCSC | Effective Incident Management |
| Verizon | Data Breach Investigations Report 2024 |
| European Commission | EU Cybersecurity Legislation Overview |
About the Author: Seamus O'Leary is Head of IT at a 100-person professional services firm in Dublin. After eight months of listening to The Small Business Cyber Security Guy podcast, he's now implementing what he learns and documenting the results. This is his first blog contribution, written with only moderate panic and excessive coffee consumption.
Want to share your own implementation story? The podcast is always looking for real-world case studies. Email podcast@smallbusinesscybersecurityguy.co.uk
