The same incident, on Slack + Confluence + email versus on IR-OS.

EDR alert fires.

SOC analyst sees ransomware indicator. Pings IR Lead in Slack DM.

• IR Lead is on PTO. Slack DM goes unread.
• Backup IR Lead is in a customer meeting, phone on silent.
• Analyst escalates to manager. Manager is between flights.

Trying to reach the IR team.

No single contact list. Phone numbers buried in email signatures and someone's old Notion page.

• CISO mobile not answering - in a board prep meeting.
• Outside counsel main number rings to voicemail.
• Cyber insurance broker contact found in CFO's email from 2 years ago.
• PR firm contact lost. Was it Edelman? Was that last year?

Hunting for the cyber insurance policy.

"Where is the actual policy PDF?" Nobody knows. Insurance is a CFO problem most days, not a CISO problem.

• CFO assistant searches SharePoint - finds three different policy PDFs from three years.
• Are we sure the current one is in force? Renewal was March, right? Or April?
• Ransomware exclusion page nobody can read on a phone.
• First-notice clause: 24 hours? 48 hours? Different policies say different things.
• Deductible amount? Sub-limits for ransom payment? Nobody can answer.

Hunting for the IR plan.

"We have a plan, right?" Three people search Confluence in parallel.

• Found - last edited 14 months ago. Pre-dates the SaaS migration.
• References a SOC vendor we offboarded last year.
• Names two responders who left the company.
• "Step 4: Engage XYZ." XYZ is no longer an MSSP we use.
• Notification deadlines listed are out of date with current SEC rules.

Coordination breaks first.

Six people in Slack asking "who is doing what?" CISO is in three Zoom rooms.

• Two parallel Slack threads spawn - #incidents and a private DM group.
• "Are we calling this an incident yet?" Scope debate consumes 8 minutes.
• Nobody is sure who has authority to take production fileservers offline.
• Decisions getting made by whoever talks loudest in the call.
• Two of the six on-call responders never got the page (Slack DM mute).

Leadership wants an update. All of them. Now.

CEO, CFO, COO, board chair, and head of HR all texting at the same time. Each wants their own version.

• CEO: needs a 1-line summary for an investor he is on a call with.
• CFO: needs cost exposure and insurance status for cash planning.
• Board chair: wants to know if the disclosure clock has started.
• COO: asking if she should pause customer onboarding.
• Comms Lead writing four custom updates by hand. Fact drift between versions within 20 minutes.

Hunt for outside counsel and PR firm contacts.

"What's the breach hotline number for the firm we use?" "Was it Munger or Latham last year?"

• Outside counsel breach line: found in old retention letter, attached to GC's deleted laptop.
• Privileged comms channel never set up. Defaulting to standard email - privilege now in question.
• PR firm: contract lapsed last year. Replacement firm not retained yet.
• Spokesperson list never finalized. CEO assumes it's the CISO. CISO assumes it's the GC.

Still trying to reach the carrier.

First-notice clock now uncertain - was it 24 hours or 48? Repeating facts to broker that were already shared in Slack.

• Broker forwards to carrier claims line. Voicemail.
• Claims adjuster requests a structured timeline. We do not have one.
• Adjuster asks for the IR plan we are following. We are not sure which version.

Holding statement debate erupts.

Four parallel versions in flight: marketing's, legal's, CEO's, customer success's. Track-changes nightmare across email and Google Docs.

• Marketing pushes for "incident" language. Legal pushes for "potential incident."
• CEO wants to say nothing yet. CFO wants something to share with the lender on a call in 30 min.
• Three different "final" PDFs end up in three different inboxes.
• One version accidentally cc's a customer-facing distribution list. Recall sent. Recall fails.

Customer Success: "Which customers do we notify first?"

Nobody has a sorted list. Sorted by what - contract value, data sensitivity, regulatory exposure, prior incident history? All four matter, none are encoded.

• Top 10 customers list pulled from Salesforce - last refresh 6 weeks old.
• EU customers (GDPR exposure) flagged manually by reading account names.
• Healthcare customers (HIPAA BAA in force) - no flag, manually checked.
• Two customers under MSA breach-notification-within-24-hours clauses missed entirely.

"Wait, when does the SEC clock start?"

Nobody is sure if this hit materiality. Slack debate.

• Materiality determination is being made informally by people not authorized to make it.
• Counsel asks: "Did we already determine materiality? When?" Nobody can point to the decision.
• NY DFS 72-hour clock - did anyone start it? Started from when - detection or declaration?
• GDPR Art 33 - same question. Different "awareness" definition. More confusion.
• HIPAA notification - is the affected fileserver in the BAA scope? Nobody is sure.

Re-litigating decisions.

Slack thread loops back: "Wait, who decided to take the fileserver offline?" Nobody can find the message.

• Decision attributed to nobody. Three people remember three different versions of the call.
• Production team angry - "you broke the SaaS environment for 4 hours, who authorized that?"
• Comms Lead asking if the holding statement is approved. Nobody has the latest version.
• HR asking if employees are getting an update. The third all-hands brief draft is on someone's laptop.

Frantic reconstruction for the board call.

CEO needs a 1-page summary for the emergency board call at 4pm. Comms Lead and CISO scrambling.

• Scrolling through 14 Slack channels and 6 Zoom recordings to reconstruct yesterday.
• Three people produce three different timelines, off by 20 minutes on key events.
• Materiality status: unclear. Privilege status of board materials: unclear.
• Outside counsel disagrees with internal version of events on at least two decisions.
• 1-pager hits 4 pages. Then 7. Then "actually let's just talk through it."

"Did we tell the carrier yet?"

CFO asks. Nobody is sure if the FNOL was officially submitted or just discussed.

• Email to broker found - but no formal claim number assigned yet.
• Carrier requests structured timeline. Now we are reconstructing it for them too.
• Out of compliance with the 24/48-hour first-notice clause? Unclear. Coverage could be at risk.
• Broker chasing IR plan version followed during the response. We do not have one to send.

Customer breach letter v9 in track changes.

Five reviewers, three jurisdictions, two PDF mishaps. Nobody is sure which version is the latest.

• Outside counsel sends redlines via email attachment. Comms Lead applies them in Word. Marketing pushes back on tone.
• Privilege bleed: a draft is forwarded outside privileged channel. Privilege now in question.
• v9 has a typo in the carrier name. v10 fixes it but loses two earlier corrections.
• Final PDF differs from final DOCX. Subscriber unsure which one to send.

After-action review put on the calendar for "next month."

Will mostly be reconstructed from memory and Slack scrolls. Will not update the IR plan.

• Calendar invite sent for 4 weeks out. Two key responders already on PTO that week.
• "Did we send the EU residents notification?" Nobody is sure. Searching email.
• Lessons learned theatre: a slide deck nobody re-reads.
• Plan does not update. Readiness score does not change. Same gaps will hit the next incident.

Three regulators want the timeline.

SEC, the state AG, and the carrier all open inquiries. Three different production formats requested.

• Forensic team reconstructs from Slack export, Confluence page history, email threads, Zoom recordings.
• Three timeline versions produced. Off by 12-40 minutes on key events.
• Privilege classification done by hand on every email - lawyers bill by the hour.
• Some Slack messages auto-deleted (90-day retention). Gaps in the timeline acknowledged in cover letter.
• Cover letter language carefully managed - any mismatch with carrier or counsel version creates new exposure.

Plaintiffs counsel sends a discovery letter.

"Produce all communications regarding the decision to pay/not pay the ransom, who authorized notification language, and how the materiality determination was made."

• No defensible chain. No structured signoff record.
• Disputes about which Slack messages were deleted vs auto-archived. Plaintiffs argue spoliation.
• Privilege log produced manually - 600 line items, multiple privilege challenges from opposing counsel.
• Outside counsel bills 200+ hours reconstructing an authoritative timeline from primary sources.
• Settlement leverage erodes because we cannot prove what we did when.

Cyber insurer disputes the claim.

"You did not follow your published IR plan during the response. Coverage may be reduced or denied."

• Hard to argue. Nobody can prove which version of the plan was followed.
• First-notice timing in dispute - was it 36 hours? 48? Carrier says we were late.
• Forensic firm engaged was not on the carrier's panel - non-panel costs not covered.
• Ransom payment authorization process not documented to OFAC standards. SDN screening evidence missing.
• Settlement coverage offered at 60 cents on the dollar. Take it or litigate.