Insurer notification timeline in IR plan
Demonstrate that the incident response plan contains documented, time-bound procedures for notifying the cyber insurance carrier following security incidents, aligned with policy requirements and incident severity thresholds.
Description
What this control does
This control requires the incident response plan to explicitly define the timeline and conditions under which the organization's cyber insurance carrier must be notified following a security incident. The timeline should specify maximum notification windows (e.g., within 24 or 72 hours of incident confirmation) based on incident severity, type, or potential financial impact. Timely insurer notification ensures compliance with policy terms, preserves coverage eligibility, and enables the insurer to provide breach response resources such as forensic support, legal counsel, or crisis communications.
Control objective
What auditing this proves
Demonstrate that the incident response plan contains documented, time-bound procedures for notifying the cyber insurance carrier following security incidents, aligned with policy requirements and incident severity thresholds.
Associated risks
Risks this control addresses
- Delayed insurer notification may void coverage or trigger policy exclusions, leaving the organization financially liable for breach costs
- Failure to meet contractual notification deadlines results in denial of claims for forensic investigation, legal defense, or regulatory fines
- Incident responders unaware of notification requirements may complete containment and remediation activities without insurer involvement, forfeiting access to policy-provided breach coaches or legal representation
- Ambiguous or missing notification timelines cause confusion during active incidents, leading to inconsistent reporting and potential coverage disputes
- Insurer-required evidence preservation steps are not performed when notification is delayed, weakening subsequent claims or legal defenses
- Late notification prevents the insurer from deploying pre-approved vendor panels for forensics or public relations, increasing response costs and extending recovery time
Testing procedure
How an auditor verifies this control
- Obtain the current incident response plan, runbooks, and any supplementary procedures related to external stakeholder notification
- Retrieve the organization's cyber insurance policy documents, including endorsements, declarations pages, and notices of coverage terms
- Review the policy for explicit insurer notification requirements, including maximum timeframes, triggering conditions, and contact methods
- Locate within the IR plan the section defining insurer notification timelines and compare specified timeframes against policy requirements
- Verify that the IR plan specifies notification thresholds based on incident type, severity classification, or financial impact estimates
- Examine the IR plan for designated roles and responsibilities for insurer notification, including primary and backup contacts
- Review incident records from the past 12 months where insurer notification was required and confirm timestamps demonstrate compliance with documented timelines
- Interview the IR team lead or security manager to confirm awareness of notification timelines and validate the process matches documented procedures
Where this control is tested