When it comes to cyber insurance, having an incident response (IR) plan isn’t just a nice-to-have, it’s often a policy requirement. However, many organisations believe that means drafting a massive technical document that sits untouched in a folder. The truth? Insurers want to see that you have a practical, well-understood plan, and that you’ve tested it.

What Insurers Expect

Most cyber insurers in 2025 look for:- A documented IR plan that outlines roles, responsibilities, and communication procedures.

- Evidence that the plan has been updated within the past 12 months.

- Proof of testing, such as tabletop exercises, breach simulations, or after-action reviews.

What “Good Enough” Looks Like

You don’t need a 50-page plan or a dedicated security operations centre. What you need is a concise, role-based plan (5–10 pages is often sufficient).

- Clear contacts for legal, technical, and executive escalation.

- Pre-written communications templates for internal and external use.

How to Run a Simple Tabletop Exercise

Select a realistic scenario, such as ransomware targeting your file server, and gather your key stakeholders. Walk through:

- Who gets alerted?

- What systems are affected?

- Who communicates with staff and customers?- How do you engage external IT or legal help?

Take notes and revise your plan afterwards. Even a 90-minute session once a year can demonstrate due diligence.

Final Word

An Incident Response plan doesn’t have to be overengineered. Keep it tight, ensure people understand their roles, and test it thoroughly. That’s what insurers, and your business really need.