When it happens, the clock is running. The companies that recover fast are the ones that decided what to do before the incident — not during it.
Recommended ModuleCarriers ask whether you have a written incident response plan because they have learned that the difference between a contained event and a catastrophic claim is usually the first hour — and whether anyone knew who to call. Most small and mid-size companies have no plan, no contact list, and no idea their cyber policy has a breach hotline that must be called promptly.
The three things they are really asking: Do you have a written IR plan? Do people know their roles and who to contact — your insurer, counsel, forensics, the bank? And have you ever practiced it? If your honest answer is "we would figure it out," that is exactly the gap this kit closes.
Find your cyber policy’s breach hotline.
Open your cyber insurance policy and locate the incident / breach reporting number and the notice deadline. Many policies require prompt notice and give you a breach coach and pre-approved forensics firm — but only if you call. Write that number somewhere your team can find it at 2am.
Write down who does what.
On one page, name three people: who runs the response, who handles the technical side, and who talks to staff and outside parties. It does not need titles or a org chart — it needs names and phone numbers. That page is the start of an IR plan.
Confirm you have an offline backup.
The single biggest factor in ransomware recovery is whether you have a backup the attacker could not reach and that you have actually tested restoring. Verify one exists and is off-network before you ever need it.
If the quick wins showed you the gap but not the path, the kit gives you a complete, ready-to-adapt response capability — the plan, the playbooks, the contacts, and a tabletop to prove it works — without hiring an IR firm on retainer.
Incident Response Plan
The master runbook — scope, activation criteria, and the four response phases (Prepare, Detect/Analyze, Contain/Eradicate/Recover, Post-Incident). Fill the highlighted fields and adopt.
Incident Response Policy
The policy that gives your plan authority. Pre-structured; edit and publish.
Roles & Contact Sheet
Internal responders plus the external contacts you cannot look up mid-incident: insurer breach hotline, counsel, forensics, bank fraud line, law enforcement.
Severity & Classification Matrix
Triage every incident consistently — severity tiers, response times, and who gets notified at each level.
Scenario Playbooks
First-hour, step-by-step playbooks for the incidents you are most likely to face: ransomware, business email compromise / wire fraud, lost device, data exposure, account compromise.
Incident Log & Tracking Register
A living record of every incident — your evidence and the input to your after-action reviews.
Breach Notification Decision Guide
Organizes the questions to work through with counsel and your insurer when an incident may be reportable. (A decision aid — not legal advice.)
Tabletop Exercise Kit
A facilitator guide plus ready-to-run scenarios and an after-action template, so you can practice the plan and find the gaps before a real event does.
Some environments need a plan built around them, not a template.
If your Whitestance score flagged Incident Response as a critical gap — or if you operate in a regulated industry where a mishandled incident carries legal and reporting consequences — a kit gets you prepared but a full engagement gets you battle-tested. Whitestance’s fractional CISO engagements build and drill your response capability across your whole environment, produce documented evidence your board, auditors, and carriers can see, and put an experienced hand on the phone when it matters. Engagements start at $40,000 for smaller organizations and scale from there.
Talk to us about a full engagement →