For legal professionals advising clients during such incidents, the ideal response is structured. It utilises co-ordination, sharp decisions, careful communication and early legal oversight to prevent a cyber incident morphing from a manageable event into a regulatory, legal and reputational crisis.

An efficient response protects evidence, supports claims of legal professional privilege where appropriate, limits regulatory exposure and helps the organisation make clear, defensible decisions under pressure.

Legal advice from the outset

Don’t treat a cyber incident as a purely technical event. Technical details will dominate the discussion: malware variants, compromised credentials, lateral movement, forensic artefacts. It’s a common mistake. Organisations call IT or an external forensic firm and begin investigating immediately. Legal advisers only become involved hours or days later. Crucially, important decisions may already have been made that affect regulatory obligations, evidence handling, or legal professional privilege.

In mature responses, legal advisers are involved from the outset. This ensures that investigative work is conducted within a structure that supports claims of legal professional privilege where:

• Appropriate communications are managed carefully
• Regulatory obligations are considered early
• Decisions about disclosure are properly assessed

In many cases, the forensic investigation itself is commissioned by external counsel so that the work is conducted under legal oversight from the beginning.

Clarity and control

During a cyber incident, multiple stakeholders are involved: IT and security teams, executive leadership, legal counsel, communications teams, insurers, external forensic specialists, and regulators or law enforcement. Without clear coordination, effort duplicates, messaging is inconsistent and instructions conflict.

Establish a clear incident command structure with a small decision-making group. This includes senior leadership, legal counsel and the incident response lead. The group:

• Sets priorities
• Approves key decisions
• Coordinates external advisors
• Manages communications

Thus the organisation speaks with one voice. It is deliberate not reactive.

Structured decision-making

Speed matters in a cyber incident response but poorly considered decisions create significant legal or regulatory consequences.

Ill-thought-out moves include making premature public statements, notifying regulators before facts are known, shutting down systems without preserving evidence, paying ransoms without proper analysis of the potential pitfalls or engaging external vendors without clear scope

Clever incident responses pause the decision-making process just enough to ensure that decisions are documented, justified, and informed by the right expertise.

Notably, in Ireland and across the EU, organisations must also consider whether an incident constitutes a personal data breach under GDPR. Where it does, notification to the Data Protection Commission (DPC) may be required within 72 hours of becoming aware of the breach.

Determining whether that threshold is met often depends on facts that are still emerging in the early stages of an investigation. Structured decision-making helps organisations avoid premature or inaccurate regulatory notifications.

It’s best practice to maintain:

• A structured decision log
• Regular incident briefings
• Defined escalation thresholds
• Documented legal and regulatory considerations

This record is invaluable when regulators, insurers, or courts examine how the organisation responded to the cyber incident.

Preserving evidence

Another frequent unforced error is the destruction of valuable forensic evidence during early response efforts.

Well-meaning IT staff may reboot compromised systems, wipe affected machines or reset infrastructure without capturing forensic data. Such actions can destroy evidence needed to understand the scope of the incident.

Good responses balance containment with evidence preservation. External forensic specialists are engaged early, and technical actions are coordinated to ensure that logs, memory artefacts, and system images are preserved. For legal teams, this ensures that the factual record is defensible in court.

Communication caution

In the early hours of an incident, information is incomplete and often inaccurate. Yet there is pressure to communicate with executives, staff, customers, regulators and the media. There’s a danger of producing inconsistent or speculative statements that later prove incorrect. Strict communication discipline is needed:

• A single internal reporting channel
• Designated spokespersons
• Clear guidance on internal email and messaging
• Legal review of external communications

This reduces the risk of creating documents or statements that later complicate litigation, regulatory reviews, or insurance claims.

Managing legal professional privilege

Legal professional privilege can be critically important during cyber incidents. However, privilege is often unintentionally compromised during incident response.

Common pitfalls include widely distributing forensic reports internally, forwarding privileged communications outside the legal team, and mixing operational discussions with legal advice.

Where privilege is a priority, responses are structured carefully:

• External investigators are retained through legal counsel
• Sensitive communications are clearly marked and restricted
• Reporting structures are designed to maintain confidentiality

This does not guarantee privilege in every circumstance but significantly improves the organisation’s position.

Avoiding unforced errors

To reiterate, many of the most damaging consequences of cyber incidents arise not from the breach itself but from how the organisation reacts.

Common unforced errors include premature attribution of the attacker, over-confident public statements, internal speculation recorded in email, inconsistent communications with regulators and failure to document key decisions.

A disciplined response recognises that facts evolve during an investigation. Statements are carefully qualified, and decisions are recorded with the information available at the time. This restraint can make a substantial difference when incidents are later scrutinised by regulators, insurers, or courts.

Wider regulatory landscape

Cyber incidents trigger obligations beyond GDPR. Depending on the sector, organisations may need to consider notification requirements to regulators such as the Central Bank of Ireland, ComReg, or other supervisory bodies.

In addition, the implementation of the NIS2 Directive will expand cybersecurity governance and incident reporting obligations across a wide range of sectors. Many organisations that previously viewed cyber incidents primarily as technical events will  need to treat them as regulatory matters. A coordinated response that includes legal, technical, and executive leadership is essential.

Be prepared

Optimal incident responses are rarely improvised. They are the result of preparation. Tabletop exercises involving legal, technical, and executive teams improve coordination before a real incident occurs.

A neat response includes:

• A tested incident response plan
• Pre-identified external counsel and forensic providers
• Defined internal roles and responsibilities
• Communication protocols
• Executive-level awareness of incident procedures

Regulators increasingly assess not only the cyber incident itself but how the organisation responded.

For legal firms advising clients in such a critical time, understanding what a well-run response looks like is can be just as important as having a grasp on the technical details of the breach itself.

Paul Delahunty is Chief Information Security Officer at Stryve, a leading Irish multi-cloud and cybersecurity company and ICTTF Cyber Security Company of the Year 2022. Paul is CIO and IT Leaders Security Leader of the Year 2023 and 2024, and is the Tech Excellence Awards CIO of the Year 2024.