July 13, 2026 · incident response · how-to
How to write an incident response plan that satisfies your cyber insurance application
The short answer
A cyber-insurance-ready incident response plan is a written document naming who declares an incident, who to call (including your carrier's hotline and counsel), how to isolate affected systems, where backups are and who restores them, and how you communicate — tested at least annually with a documented tabletop exercise. Written but untested reads as shelfware to underwriters.
The Founder
Founder, Surable · 20 years in IT and information security
Of the seven controls carriers require, the incident response plan is the one most often missing entirely — not because it's hard, but because it's homework nobody owns. It's also the requirement with the best effort-to-outcome ratio: one honest afternoon with the right structure turns a hard "no" on your application into a documented "yes."
Here's the structure that satisfies the question, section by section.
What must the plan actually contain?
1. Roles, by name. Who declares an incident. Who talks to the carrier. Who talks to staff and customers (one voice, not five). Who can authorize spending money at midnight. Small businesses double-hat these roles — fine. Names and cell numbers, not titles.
2. The call list. Your cyber carrier's 24/7 hotline and policy number at the top — most policies require prompt notice, and carriers keep approved forensics firms and breach counsel on call. Then: IT/MSP, backup provider, bank (for fraud holds), key vendors, and after-hours numbers for all of the above.
3. First-hour isolation steps. Written for whoever is standing there, not for a security engineer: disconnect the affected machine from network/Wi-Fi (don't power it off — evidence lives in memory), disable the compromised account, preserve what's on screen with a phone photo, start a timeline note. Plain, numbered, laminated-card simple.
4. Backup recovery basics. Where backups live, who has credentials, the restore order (what comes back first), and — the question every tabletop exposes — whether anyone has actually restored from them recently. Claims data is blunt on why this matters: a record 86% of ransomware victims refused to pay in Coalition's 2026 analysis — and it's working backups plus a rehearsed plan that turn refusal from a wish into an option.
5. Communication rules. When and how you notify staff, affected customers, and regulators. You don't need the statutes memorized — you need "call counsel before any external statement" written down, because notification deadlines start at discovery and improvised statements create liability.
6. The severity ladder. A weird email attachment is not the same as encrypted servers. Three tiers (nuisance / serious / crisis) with who gets woken up at each keeps small events small.
Why "tested" matters as much as "written"
Applications increasingly ask both questions: Do you have a written IR plan? and Has it been tested in the last 12 months? Underwriters learned that untested plans are shelfware — and tabletops prove it, cheerfully, every time. In the first exercise, some phone number is always dead, some "who decides this?" is always unanswered, and someone always asks where the backups actually are.
The test that counts is modest: 60–90 minutes, one scenario, dated notes. Walk the room through a ransomware morning step by step. Write down what broke. Fix those things. That dated page of notes is your honest "yes" to the testing question — and your evidence if a claim is ever disputed.
The fastest honest path
If you have nothing today: write the one-page version this week (roles, call list, isolation steps, backup location), then grow it into the full plan with a proper template. The Surable Readiness Pack includes a fill-in-the-blank IR plan mapped to the exact application questions, plus the tabletop script and note-taking sheet — the whole exercise is designed to fit in one afternoon and one meeting.
Or start further upstream: the free Readiness Check will tell you in five minutes whether the IR plan is your biggest gap or merely one of several.
Common questions
How long should the plan be?+
Short enough to use at 2 AM. Most small businesses need 6–10 pages plus a one-page emergency card. Length impresses no one; a phone number that's actually current does.
What counts as 'testing' the plan?+
A tabletop exercise counts: 60–90 minutes, leadership plus whoever runs IT, walking through one realistic scenario ('ransomware note on the office manager's screen at 7:40 AM Monday'). Keep dated notes of what broke and what you fixed — those notes are your evidence for the application.
Should I call my insurance carrier before or after containing an incident?+
Early — most policies require prompt notice, and many carriers run 24/7 hotlines with approved forensics and ransomware counsel. Calling late (or using non-approved vendors) can jeopardize coverage. Put the hotline number in the plan itself.
Do I need a lawyer in my incident response plan?+
You need to know who you'd call, because breach notification deadlines (all 50 states have them) start ticking on discovery. Your carrier's panel counsel usually fills this role — another reason the carrier hotline belongs on page one.
Sources
Find out where you stand — free, in 5 minutes
Instant readiness score across the ten domains carriers probe, plus your top three gaps and how to fix them.