What to Do Immediately After a Cyber Attack on Your Business

Key Points:

• The first steps after a cyber attack include isolating affected systems and preserving evidence.
• Notifying stakeholders, assessing financial damage, and coordinating with cybersecurity experts are crucial.
• Hiring a public adjuster can help recover financial losses tied to cyber insurance claims.

---

A cyber attack on your business demands immediate, calculated action. Begin by isolating systems, preserving evidence, and notifying the right stakeholders. Speed, accuracy, and a well-documented response process are key to minimizing the damage. Below is a breakdown of what to do immediately after a cyber attack on your business, including steps that help you recover, communicate, and claim losses.

Cyber Attacks Are Costly—and Common

In 2024, the average cost of a data breach globally reached $4.45 million, according to IBM’s Cost of a Data Breach Report. Small and medium-sized businesses are particularly vulnerable, often lacking dedicated cybersecurity staff or formal incident response plans. Phishing, ransomware, and malware continue to dominate attack types—crippling systems, stealing sensitive data, and halting operations.

With cyber threats rising, businesses must know exactly what to do after a cyber attack occurs. Every second counts, and how you respond can affect your reputation, finances, and even legal standing.

What to Do Immediately After a Cyber Attack on Your Business: Quick Answer

The first thing to do after a cyber attack is to isolate affected systems to prevent further spread, then document the incident, notify internal stakeholders, and begin forensic investigation. Taking swift action protects data, preserves evidence, and lays the groundwork for insurance claims or legal proceedings.

Isolate Affected Systems Immediately

Once you suspect a breach or attack, do not delay containment. Your priority should be to isolate infected devices, servers, or cloud services to stop the threat from spreading further.

Cutting off network access is essential, but you must do it methodically.

• Disconnect impacted systems from the internet and internal networks.
• Disable remote access to compromised servers.
• Preserve data in its current state—do not delete or reformat unless advised by forensic experts.
• Log all system activity, alerts, and unusual behavior.

This step helps prevent additional data loss or ransomware encryption and keeps a record for forensic review. Make sure only your incident response team or a trusted managed service provider handles this task.

Never power down machines unless absolutely necessary. That might destroy volatile memory which could contain critical evidence.

Activate Your Incident Response Plan

If you have a cyber incident response plan, now is the time to activate it. If not, assign key responsibilities quickly and document every action from this point forward.

Here’s what should happen in the first few hours:

• Identify the type of attack (phishing, malware, ransomware, data breach, etc.).
• Assign a response leader to coordinate communication and remediation.
• Secure login credentials for internal systems and third-party platforms.
• Alert your internal IT team or external cybersecurity firm for a forensic investigation.

A structured incident response plan keeps your actions aligned, limits confusion, and helps ensure no step is overlooked. If you don’t have a formal plan, use this experience as a lesson to build one post-recovery.

Preserve All Evidence for Investigation and Insurance

Cyber attacks are not just technical issues—they’re also legal and financial events. Preserving digital evidence is essential for any claim you plan to file with your cyber insurance provider.

Focus on collecting the following:

• Logs from firewalls, endpoint security, and servers
• Screenshots of ransom notes, phishing emails, or suspicious messages
• Any communications with attackers (especially for ransomware)
• Timeline of when the breach was detected and actions taken

Without sufficient documentation, your insurer may delay or deny your cyber claim. Also, law enforcement or legal teams may need to review these materials if there’s a regulatory investigation.

Never attempt to clean or “fix” affected systems without first preserving data. Doing so might compromise your claim.

Notify Stakeholders and Legal Authorities

Transparency is critical. Depending on your industry, you may have a legal obligation to notify customers, regulators, and partners about the attack—particularly if sensitive data was exposed.

Here’s a prioritized list of who to notify:

• Internal leadership teams and staff
• Your cyber insurance provider
• Clients and vendors who might be affected
• Data protection authorities (e.g., under GDPR or state breach laws)
• Law enforcement, such as the FBI’s Internet Crime Complaint Center (IC3)

Craft messaging that’s clear, accurate, and timely. Avoid assigning blame or guessing the cause until the facts are confirmed. Your legal team or public relations expert should guide external communication.

Failure to notify in time could result in penalties—especially if the breach involved personally identifiable information (PII).

Assess Business and Financial Impact

After containing the threat and notifying key parties, turn your attention to the damage. A successful cyber attack can result in:

• Business downtime and lost revenue
• Data loss or corruption
• Theft of intellectual property
• Legal fees and penalties
• Reputational harm

It’s crucial to quantify these losses early to file a cyber claim properly. Work closely with:

• Your finance team to estimate losses
• Forensic IT to determine data loss or exfiltration
• Legal counsel to review any contractual liabilities

Make sure everything is documented. Even indirect losses, like canceled contracts or higher customer churn, may be compensable under your cyber insurance policy.

File a Cyber Insurance Claim

If you have cyber liability coverage, file your claim as soon as possible. Most policies require notice within a specific timeframe (e.g., 48–72 hours).

Your claim package should include:

• The incident report
• Timeline of events
• Forensic evidence and investigation summary
• Financial damage estimates
• Records of communication and containment efforts

Cyber claims are complex and often involve multiple areas of coverage, including business interruption, legal defense, data recovery, and even ransomware negotiation.

To avoid underpaid or denied claims, consider hiring a licensed public adjuster who specializes in cyber losses. They represent you—not the insurance company—and help ensure your claim reflects the full scope of damage.

Review Security Gaps and Improve Defenses

Once recovery is underway, it’s time to strengthen your defenses and prevent future breaches. Think of this as the “post-mortem” phase where your team identifies weak points.

Steps to take include:

• Conduct a full cybersecurity audit
• Patch known vulnerabilities and update all software
• Change all compromised passwords
• Invest in multi-factor authentication (MFA)
• Provide cyber awareness training to employees
• Revisit your disaster recovery and incident response plans

The best response to a cyber attack is to ensure the next one doesn’t happen. Regularly review your security stack and make sure you stay ahead of evolving threats.

Why Public Adjusters Matter in Cyber Insurance Claims

Most business owners are not cyber experts. And most insurance companies aren’t exactly eager to pay full cyber loss claims. That’s where public adjusters come in.

Public adjusters:

• Represent your interests in the insurance claim process
• Assess damages independently and thoroughly
• Negotiate with your insurer to maximize your payout
• Handle paperwork and deadlines so you can focus on recovery

Unlike insurance adjusters hired by carriers, public adjusters work for you. That’s critical when you’re facing financial recovery from a cyber attack that disrupted your business.

Additional Immediate Actions You Shouldn’t Overlook

Beyond containment, notification, and claim filing, there are several often-overlooked steps that can make a significant difference in your cyber recovery timeline. These practical actions help stabilize internal operations, preserve customer trust, and prepare your business for smoother handling of both the current attack and any potential future threats.

These steps may seem minor, but in the critical hours following a breach, every measure that protects your systems and data can prevent further loss.

Maximize Your Cyber Claim with Expert Help

Don’t navigate a cyber loss alone. Whether you’re in New Jersey, New York, or Florida, Crestview Public Adjusters is here to help you recover what you’re owed. As licensed public adjusters offering cyber claims assistance, we advocate for policyholders facing business interruption, data loss, and security breaches.

Our experts understand what to do immediately after a cyber attack on your business and how to translate those damages into a successful claim. From documentation to negotiation, we work on your behalf—every step of the way.

Contact Crestview Public Adjusters today to discuss your cyber insurance claim and get the support you need to move forward confidently.