Cybersecurity // Planning + Practice for the Worst Day

A plan you've never practiced is just paper.

Ransomware crews now steal a copy of your data before they lock it — so even good backups don't save you from the blackmail. Insurers and regulators want proof you've actually rehearsed what happens. We write the plan with you, run drills with your leadership team, and stay on call 24/7 if it ever turns real.

4 business days
Some companies must publicly disclose a serious incident within this window
Worker responding to an emergency alert
fig.01
Whitby
Delivered locally across the Durham Region. PHIPA & National Industrial Security Standards Aligned.
3-Hour On-Site Dispatch
Having local engineering support right here in Whitby means we don't have to wait for technicians from downtown. Our server migration was planned meticulously and executed with zero disruption.
Dr. Sarah Lin, Whitby Specialty Medical Plaza
What you get

What's included.

  • 01

    IR plan authored for your firm

    Not a downloaded template. The plan reflects your stack, your team, your regulatory exposure, your insurer's specific notification requirements.

  • 02

    Scenario runbook library

    Distinct runbooks for ransomware, business email compromise, data exfiltration, insider threat, supply-chain compromise. Drilled, not just written.

  • 03

    Tabletop exercises — executive and technical

    Quarterly drills. The technical team rehearses the runbook. Leadership rehearses the decisions — disclosure, communications, negotiations, customer notification.

  • 04

    24/7 retainer for activation

    On declared incident, we activate within one hour. Pre-negotiated scope, pre-authorized to act. No emergency procurement cycle.

  • 05

    Post-incident lessons-learned

    Every drill and every real incident ends with a written post-mortem and control updates. We update the plan; you stay improving.

  • 06

    Annual recertification

    Full plan review against current threat landscape and regulatory changes. Plans drift faster than people realize.

Response runbook

The first hour of a real ransomware activation.

This is the runbook our IR team executes when a client declares a ransomware incident. Minute-by-minute, no narrative.

  1. T+0:00
    Detection. Client declares. Senator IR on-call paged via dedicated line.
  2. T+0:05
    Patient-zero endpoint isolated via EDR. Outbound network blocked at perimeter.
  3. T+0:10
    IR coordinator call established. Client CISO/IT, Senator IR lead, communications lead, legal counsel notified.
  4. T+0:15
    Legal and insurance notification — insurer's IR retainer activated where applicable; outside breach counsel looped in.
  5. T+0:25
    Scope assessment begins. Lateral movement search. Account compromise audit. Backup integrity check.
  6. T+0:30
    Leadership briefing #1: scope summary, containment status, immediate decisions required (continue operations? disclose now? pay or not pay?).
  7. T+0:45
    Communications plan freeze. No external statements without IR sign-off. Internal staff communication drafted.
  8. T+0:60
    Containment status update. Restoration plan begins to take shape. SEC clock starts ticking if applicable.
Regulatory map

Notification windows that compound the breach if you miss them.

When the incident is confirmed material, the legal clock starts. Different frameworks, different windows. You need to know yours.

SEC 8-K (US public co)
Within 4 business days of materiality determination
Adopted 2023; aggressively enforced 2025+.
GDPR Art. 33 (EU personal data)
Within 72 hours of awareness
Failure compounds the fine.
HIPAA Breach Notification (US PHI)
60 days to affected individuals; immediate to HHS for 500+ records
Annual log of <500 breaches due 60 days after year-end.
PHIPA (Ontario)
'At the first reasonable opportunity'
IPC notification required for theft, loss, or unauthorized access.
OSFI Technology and Cyber Incident Reporting (Canadian FRFIs)
Within 24 hours of classification
Federally regulated financial institutions.
US state breach laws
30–90 days, varies by state
California, NY, Massachusetts, Illinois have specific additional requirements.
Compare

IR readiness — the maturity ladder.

Most firms self-assess one tier higher than their actual position. The honest test: when did you last drill?

Plan in a binder, never testedAnnual tabletop with consultantQuarterly drills + 24/7 retainer + full restore
Insurance acceptance (2026)DecliningYesPremium discount
Regulatory acceptanceOften insufficientYesYes
Executive readinessLowMediumHigh
Recovery time when it's realDays–weeksHours–daysHours
Cost of unprepared incidentAverage $4.9M (IBM 2025)~30% lower~60% lower
By the numbers

What we track — and what each metric reveals.

4
/yr
Tabletop exercises

Quarterly minimum. Higher cadence for high-risk firms.

~50
%
Faster recovery when drilled

Teams that have practiced fix things in roughly half the time of teams that haven't.

>95
%
RPO hit rate

In quarterly restore tests. Most untested backups fail their RPO when actually tried.

>80
%
Executive coordinator-recall

% of leadership who can name the IR coordinator without checking. Deceptively useful.

Who needs this

Who needs this.

  • Publicly traded companies (US SEC 8-K, similar regulators internationally).
  • OSFI-regulated FRFIs (Canadian federally regulated financial institutions).
  • Cyber-insurance applicants and renewals — universal requirement in 2026 policies.
  • Anyone whose last 'IR test' was the actual incident.
  • M&A targets in due diligence — buyers will ask for evidence of an IR program.
  • Any organization holding regulated data (PHI, PII, PCI, financial) at material scale.
FAQ
Q01

Do we really need a plan? We have backups.

Backups handle the encryption half of a ransomware incident. They don't handle the exfiltration half (double extortion is standard in 2026), the regulatory notification clock, the customer communication, the SEC disclosure, the insurance claim documentation, or the executive decisions in the first hour. The plan handles those.

Q02

What's a tabletop exercise, actually?

A facilitated discussion where the team walks through a realistic incident scenario in real-time. No actual systems are touched — the value is rehearsing decisions and communications under pressure with the actual decision-makers in the room.

Q03

How often should we drill?

Quarterly is the 2026 baseline for any firm with material regulatory exposure. Annual is the minimum to satisfy most insurers. Daily is overkill — quarterly hits the right cost/value point.

Q04

What does day 1 of ransomware actually look like?

See the response runbook section above. The first hour is structured and time-boxed. The first day involves continued scope assessment, customer/regulator notification decisions, comms, restoration planning, and a lot of leadership-team interrupts. Drilled teams handle it. Untested teams freeze.

Q05

Do you negotiate with attackers?

We don't directly — but we work with negotiation specialists when payment is on the table. Many ransomware crews are now on US Treasury OFAC sanctions lists, which complicates payment legally. The decision to pay or not is the client's, informed by legal, insurance, and operational impact.

Q06

What about the new SEC 8-K rule?

US public companies must file Form 8-K Item 1.05 within four business days of determining a cybersecurity incident is material. The clock starts at materiality determination, not detection — but the determination itself can't be unreasonably delayed. We help draft the materiality framework and the 8-K-ready language before you need it.

Next step

Free 90-minute tabletop using a real 2026 ransomware scenario.

Your leadership team in a room with us. Realistic injects. No slides, no theory. You'll see exactly where your current readiness is — and isn't.

Schedule the tabletop