Our Latest Advice

A cyberattack can be stressful and confusing. One minute your business is operating normally. The next, files may be locked, systems may be down, emails may be compromised, or money may have been redirected to the wrong account.

For many small and medium-sized businesses, the first few hours after a cyber incident are critical.

Knowing what to do can help reduce damage, protect important information, and improve your ability to recover. It can also help your insurer, IT provider, legal advisors, and cyber response specialists respond more effectively.

Here is what business owners should consider if they suspect a cyber incident.

Key Points About Responding to a Cyber Incident

Before diving into the details, here are some of the most important things business owners should understand if they suspect a cyber incident.

• Act quickly, but do not panic. The first few hours after a cyber incident can be important.
• Contact your IT provider as soon as possible so they can help assess the situation, isolate affected systems, and limit further damage.
• Contact your insurance broker or insurer early. Your cyber insurance policy may include access to breach response specialists, legal guidance, forensic experts, ransomware support, and recovery services.
• Contact your in house lawyers or extern legal team if you have one. If the cyber incident may involve personal information, customer records, employee data, contracts, regulators, or legal obligations, legal guidance can help you understand what needs to be done and how to communicate carefully.
• Do not delete files, emails, logs, ransom messages, payment instructions, or other evidence. This information may be needed to understand what happened and support an insurance claim.
• If money has been transferred or payment instructions may have been changed, contact your bank immediately. Time matters when fraud or funds transfer is involved.
• Communicate carefully with employees, customers, suppliers, and others. Avoid guessing or sharing incomplete information before the facts are known.
• After the incident is under control, review what happened and strengthen controls such as multi-factor authentication, backups, employee training, software updates, and payment verification procedures.

How Would I Know If My Business Has Been Cyber Attacked?

Cyber incidents are not always obvious at first. Warning signs may include:

• Locked files or ransom messages
• Unusual login activity
• Missing, changed, or corrupted data
• Slow systems or repeated crashes
• Strange pop-ups
• Suspicious emails sent from your account
• Unexpected password resets
• Customers receiving emails you did not send
• Money being redirected to an unfamiliar account
• Your bank, supplier, customer, or IT provider telling you something looks wrong

Sometimes the first sign is a ransom note. Other times, it may be a customer calling to ask why they received a strange invoice or email from your business.

If something feels wrong, treat it seriously.

Step 1: Disconnect Affected Systems if Needed

If you suspect a ransomware attack, malware infection, or unauthorized access, your IT provider may recommend disconnecting affected computers or systems from the network.

The goal is to help limit the spread of the attack.

Do not start deleting files, wiping computers, or reinstalling software unless your IT provider or cyber response team advises you to do so. Evidence may be needed to understand what happened and support an insurance claim.

Step 2: Contact Your IT Team or Provider

Your IT team or provider should be one of your first calls.

They can help assess what happened, isolate affected systems, preserve important evidence, and determine whether the incident is still ongoing.

If you do not have an internal IT team, contact your external IT provider or managed service provider right away.

Step 3: Contact Your Insurance Broker or Insurer

If you have cyber insurance, contact your broker or insurer as soon as possible.

Many cyber policies include incident response services. These may provide access to breach coaches, legal counsel, forensic specialists, ransomware negotiators, and other experts.

Your policy may also include specific reporting requirements. Delays in reporting can create problems, so it is important to follow the claim instructions carefully.

At Munn Insurance, we can help guide you through the next steps and connect you with the right claims support.

Step 4: Involve Legal Counsel When Needed

Some cyber incidents may involve legal, privacy, regulatory, or contractual obligations.

If personal information, employee records, customer data, confidential client files, payment information, or sensitive business information may have been accessed or exposed, legal guidance can be important.

Your cyber insurance policy may provide access to breach counsel or other legal support as part of the incident response process. If your business has in-house counsel or an external lawyer, they should also be involved when needed.

Legal counsel can help your business understand notification obligations, communicate carefully, respond to regulators, review contracts, and avoid sharing incomplete or inaccurate information before the facts are known.

Step 5: Contact Your Bank if Money Is Involved

If you suspect fraudulent funds transfer, business email compromise, or payment redirection, contact your bank immediately.

Time matters.

Your bank may be able to freeze accounts, stop a transaction, trace funds, or advise on next steps. You may also need to notify law enforcement, depending on the circumstances.

Keep copies of emails, invoices, payment instructions, bank records, and related communications.

Step 6: Preserve Evidence

It may be tempting to delete suspicious emails, close pop-ups, or reset everything immediately. But evidence can be important.

Try to preserve:

• Suspicious emails
• Ransom messages
• Screenshots
• Login records
• Payment instructions
• Invoices
• Bank records
• System alerts
• Communication with customers, suppliers, or employees
• Notes about when the incident was discovered

This information may help your IT provider, insurer, legal counsel, or forensic team understand what happened.

Step 6: Communicate Carefully

After a cyber incident, communication matters.

You may need to speak with employees, customers, suppliers, banks, regulators, or others. But it is important to avoid guessing or sharing inaccurate information before the facts are understood.

Cyber insurance policies may provide access to legal and crisis communication support. These professionals can help determine what needs to be communicated, when, and to whom.

If personal information was involved, there may be privacy notification obligations.

Step 7: Review What Happened and Strengthen Controls

After the immediate incident is under control, your business should review what happened and what can be improved.

This may include:

• Adding or strengthening multi-factor authentication
• Improving backups
• Updating software
• Training employees
• Reviewing payment verification procedures
• Restricting access to sensitive information
• Updating passwords
• Reviewing vendor access
• Creating or updating an incident response plan

A cyber incident can be disruptive, but it can also reveal areas where your business can reduce future risk.

Frequently Asked Questions About Cyber Incident Response

• What should I do first if my business is cyber attacked?
  If you suspect a cyber incident, contact your IT provider and your insurance broker or insurer as soon as possible. If money has been transferred, contact your bank immediately.
• Does cyber insurance help after an attack?
  It may. Cyber insurance can help with costs such as investigation, legal guidance, data recovery, business interruption, ransomware response, customer notification, and certain cyber crime losses, depending on the policy.
• What if a customer tells me they received a suspicious email from my account?
  Treat it seriously. Your email account may be compromised. Contact your IT provider, change passwords carefully, review account access, and notify your broker or insurer if you suspect a cyber incident.
• How can I prepare before a cyber incident happens?
  Have an incident response plan, use multi-factor authentication, back up important data, train employees, keep systems updated, and make sure you know who to contact if something goes wrong.
• What does cyber insurance cover?
  Cyber insurance may cover costs related to data breaches, ransomware, cyber extortion, business interruption, forensic investigation, data recovery, customer notification, legal defence, privacy claims, regulatory investigations, and certain cyber crime losses, depending on the policy.
• What is the difference between first-party and third-party cyber insurance?
  First-party cyber insurance helps protect your own business from direct costs after a cyber incident, such as breach response, data recovery, cyber extortion, and lost income. Third-party cyber insurance helps protect your business if someone else makes a claim against you after a privacy breach, network security failure, or other covered cyber event.
• Is cyber insurance legally required?
  Cyber insurance is not always required by law, but some contracts, clients, vendors, lenders, professional associations, or business partners may require proof of cyber coverage. Even when it is not required, it can be an important part of a business insurance program.
• Does cyber insurance cover ransomware?
  Many cyber insurance policies may provide coverage for ransomware-related expenses, including investigation, recovery costs, cyber extortion response, business interruption, and certain payments where legally permitted and approved under the policy. Coverage varies, so it is important to review policy wording and conditions.
• Does cyber insurance cover phishing or fraudulent funds transfers?
  Some cyber policies may provide coverage for phishing, social engineering, or fraudulent funds transfer losses. This coverage often has specific conditions, sub-limits, and verification requirements, so it should be reviewed carefully with your broker.
• Does cyber insurance cover mistakes made by employees?
  It may, depending on the policy. Many cyber incidents begin with an employee clicking a fraudulent link, downloading a harmful attachment, using a compromised password, or responding to a fake payment request. Cyber insurance may help respond to certain covered incidents involving employee error, but coverage depends on the policy wording, security requirements, and the type of loss.
• Does cyber insurance cover outages involving cloud providers or third-party technology vendors?
  Some policies may include coverage for dependent system interruptions, which can help if your business is disrupted because of a covered cyber event involving a third-party technology provider. This coverage is not always automatic, so it should be reviewed carefully with your broker.
• What are the most common types of cyberattacks businesses face?
  Common cyberattacks include phishing emails, ransomware, malware, business email compromise, fraudulent funds transfers, and distributed denial of service attacks, often called DDoS attacks. Phishing is especially common and may involve fake emails, links, invoices, or login pages designed to trick employees into sharing information, downloading malware, or sending money to the wrong place.
• What does cyber insurance not cover?
  Cyber insurance policies vary, but common exclusions may include known incidents that occurred before the policy started, intentional wrongdoing, failure to maintain required security controls, war or certain state-sponsored attacks, bodily injury, physical property damage, and upgrades beyond restoring systems to their prior condition.
• What information do I need to get a cyber insurance quote?
  You may need to provide details about your business operations, annual revenue, industry, number of employees, type of data collected, technology systems used, cybersecurity controls, previous cyber incidents, and desired coverage limits.
• What cyber coverage should my business consider?
  Many businesses should review coverage for data breach response, ransomware and cyber extortion, business interruption, cyber crime, fraudulent funds transfer, privacy liability, network security liability, regulatory defence, and data recovery.
• Should I review cyber insurance every year?
  Yes. Your cyber risk can change as your business grows, adds employees, uses new software, accepts online payments, stores more customer information, or signs new contracts. Reviewing cyber insurance each year can help ensure your coverage still reflects the way your business operates.
• How much does cyber insurance cost?
  Costs vary based on business size, industry, revenue, data exposure, cybersecurity controls, coverage limits, optional coverages, and claims history. The best way to find out your cost is to get a personalized quote.
• How can I get a quote for Cyber Insurance?
  Getting a quote is quick and straightforward. You can visit Munn Insurance online at www.munninsurance.com/business and complete a short quote request form in just a few minutes. Once submitted, a member of our commercial insurance team will review your information and follow up with tailored options for your business. If you would rather speak with someone directly, you can also call Munn Insurance Monday to Friday, 8:30 a.m. to 4:30 p.m. at 1-855-726-8627 to speak with a commercial insurance advisor.
• Why use a broker like Munn Insurance for cyber insurance?
  Cyber insurance can feel complicated because coverage wording, exclusions, sub-limits, security requirements, and claims processes vary by insurer. At Munn Insurance, our commercial team can help explain your options in plain language, identify possible gaps, compare coverage, and build a cyber insurance solution around the way your business actually operates. Beyond finding competitive pricing, we also help

The Bottom Line

A cyberattack can create confusion, stress, and financial pressure, especially for a small or medium-sized business.

The key is to act quickly, preserve evidence, involve the right professionals, and follow the reporting requirements in your insurance policy.

Cyber insurance can provide financial protection and access to specialized support when your business needs help most.

Need more information?

Visit Munn Insurance online and go to the business insurance page at www.munninsurance.com/business and complete our online quote request form.

Prefer to speak with someone directly?

Call Munn Insurance Monday through Friday from 8:30 a.m. to 4:30 p.m. at 1-855-726-8627 and speak with one of our commercial insurance specialists.