Tips for Handling a Cyber Incident

December 18, 2025

Cyber incidents have shifted from rare events to a common occurrence. The legal and commercial consequences can be severe, ranging from reputational damage to regulatory fines and litigation.

Here are some useful tips from a legal perspective:

Be prepared
  • Have your incident response plan in place prior to an incident arising, ensure it is reviewed periodically and that it is tested.
  • Effective responses typically include collaboration between IT teams, lawyers, PR teams and insurers. Have your response team in place in advance of an incident occurring.
Act fast
  • Engage your incident response team and identify the source and scope of the breach. This will allow you to isolate the affected systems, potentially stop the unauthorised access, and prevent further compromise.
  • Directors and officers have a duty to act with care, skill, and diligence therefore delay and failure to contain the breach could expose the business to legal claims.
Seek legal advice
  • Legal advice can help determine not only whether there has been a breach from a legal perspective and, if so, whether the breach is reportable, but also how to draft notifications and will also provide advice on the steps that must be taken in order to be compliant.
  • Advice from solicitors will also typically have the benefit of legal privilege, protecting it from disclosure in any future regulatory investigations.
Record keeping
  • Under UK GDPR and the Data Protection Act 2018, businesses must record all breaches even those which are not reportable.
  • Analyse what data was compromised and when and how it was compromised – this will assist not only with dealing with the incident but will help in future to reduce the risk of further breaches.
  • Document decisions – these records can be useful in demonstrating compliance to regulators.
  • Evidence can also be critical for contractual disputes with suppliers or processors who may share liability.
Comply with notification duties
  • Establish if there has been a breach and, if so, whether it is reportable to regulators or data subjects.
  • You must notify the Information Commissioner’s Office (ICO) within 72 hours where a breach is likely to result in a risk to individuals’ rights and freedoms. Failing to do so can result in significant fines (up to £8.7 million or 2 per cent of your global turnover) so this step is essential.
  • Depending on the nature of your business, there may be requirements to notify regulators such as the Financial Conduct Authority in addition to the ICO.
  • Establish whether there is a requirement to inform the affected individuals – if there is, ensure that affected individuals are informed without undue delay.
  • If the position is unclear, it may be necessary to make preliminary notifications to regulators and update these as the investigation progresses.
Post breach review
  • Conduct a full internal review post-breach for lessons learned – this can help identify the causes (if they are not already clear) and ensure vulnerabilities to the businesses system are resolved and reduce the risk of reoccurrence.
  • Regulators also expect businesses to show they are taking steps to improve security, so a full review can be an important step in improving the businesses security.
Review and mitigate supply chain risk
  • Breaches can involve suppliers (for example outsourced IT providers or cloud services) – however the data controller, the business, remains responsible for how personal data is processed. This makes it critical to understand where your business’ data is being held and processed and what safeguards these processors have in place prior to entering into the arrangement.
  • Check data processing agreements (DPA) for limitation of liability provisions and indemnities – if the contract has low limitation of liability clauses the business may not be able to recover some or all of cost of the breach from the supplier. Therefore, it is useful to check that these contracts are robust and establish where liability lies.
  • It is also prudent to conduct due diligence on supplier data processing facilities and security arrangements both pre-contract and periodically thereafter, as well as checking that appropriate insurances are in place. Again, well drafted contracts can facilitate and support these factors.
Cyber insurance
  • Cyber insurance is key piece of the cyber incident toolkit.
  • Whilst some insurers provide useful cyber security resources, cyber insurance is primarily designed to provide businesses with a level of assistance to deal with a cyber incident and mitigate the downtime and fall out from it. Your insurance broker will be able to provide further information.
Ongoing training
  • Ongoing training is key. Colleagues should be trained on how to identify a breach and what to do if a breach occurs.
  • Ongoing training is also an important risk mitigation tool, as regulators will commonly ask when an employee last received training in the event of a breach occurring.

Responding to a data breach isn’t purely a tick box exercise, it carries serious legal and commercial implications. Businesses must act swiftly in order to comply with statutory duties, manage contractual obligations, and protect their reputation. Getting the response right can help mitigate both the regulatory and the commercial implications of the incident.

For expert guidance to ensure your business is prepared, please contact us.

Mark Chapman
Partner, Commercial
<script>
document.addEventListener('DOMContentLoaded', function () {
  const deptEl = document.getElementById('acf-author-department');
  const department = deptEl?.dataset?.department;

  if (typeof gtag === 'function' && department) {
    gtag('set', { author_department: department });
  }
});


  window.dataLayer = window.dataLayer || [];
  const dept = document.getElementById("author-department")?.textContent?.trim();
  if (dept) {
    window.dataLayer.push({
      event: "authorDataReady",
      author_department: dept
    });
  }

</script>
View profileContact Us

This reflects the law and market position at the date of publication and is written as a general guide. It does not contain definitive legal advice, which should be sought in relation to a specific matter.

Latest Legal Insights