Incident Response Plan Services for Canadian SMBs

What Is an Incident Response Plan?

An incident response plan is a formal, documented procedure that defines how your organization detects, contains, investigates, and recovers from a cybersecurity incident — and how it communicates about the incident to regulators, affected individuals, insurers, and the public. It is not a checklist pinned to a wall or a section buried in an IT policy no one has read. A credible IR plan is a living document with named roles, decision trees, notification templates, and evidence-preservation instructions that every relevant person has rehearsed.

The core purpose of an IR plan is to convert a moment of organizational panic — servers are encrypting, email is down, a client is calling to say their data appeared on a dark web forum — into a sequence of pre-authorized, pre-practiced decisions. Without a plan, your team improvises. Improvisation during an incident costs money, extends downtime, destroys forensic evidence, triggers regulatory penalties for missed notification deadlines, and — in the worst cases — results in decision-making that makes the breach materially worse. With a plan, your team executes. The difference between an eight-hour containment and a three-day outage is almost always whether the plan existed and whether people had practiced it.

For Canadian SMBs, the regulatory dimension adds urgency that does not exist in all other jurisdictions. PIPEDA's breach-reporting obligations, Quebec Law 25's 72-hour notification window, and sector-specific requirements (OSFI B-13 for financial services, provincial health privacy legislation for healthcare) all impose deadlines and documentation requirements that cannot be met on the fly. Miss a CAI notification window during an incident you were already scrambling to contain, and you have converted a technical crisis into a regulatory one simultaneously.

An IR plan is not a luxury reserved for enterprise organizations. A 12-person law firm in Ottawa handling client trust accounts, a 35-person dental group in Calgary storing patient health records, or a 20-person e-commerce retailer in Montréal holding payment card data all face the same fundamental obligations and the same threat landscape — they simply have fewer resources to navigate them without preparation. The plan scales to the organization. A well-scoped IRP for a very small business can be built in two to three days. The question is not whether you can afford one; it is whether you can afford an incident without one.

Why Canadian SMBs Need a Formal IR Plan in 2026

Three converging pressures have made a formal incident response plan non-negotiable for Canadian SMBs in 2026. Understanding each one helps justify the investment to leadership and sets the right priorities for the plan's content.

The threat environment is demonstrably worse. The Communications Security Establishment (CSE) documented in its 2024 National Cyber Threat Assessment that ransomware affected more than 300 Canadian organizations in 2023 — exclusively the reported cases. The actual figure is materially higher, because SMBs routinely pay ransoms quietly or absorb losses without disclosure. The Sophos State of Ransomware 2024 report found that the average Canadian ransom payment reached CA$1.1 million, while recovery costs — downtime, IT remediation, lost revenue, reputational damage — averaged CA$2.7 million per incident. For a CA$10M-revenue SMB, a single uncontained ransomware event is an existential risk. A well-executed IR plan routinely halves recovery time and, in cases where containment is rapid, eliminates the need for ransom payment entirely.

Regulation now requires documented response capability. Law 25 in Quebec is explicit: the 72-hour notification window to the CAI begins when the organization becomes aware of a confidentiality incident involving personal information. There is no grace period for organizations that had no plan. PIPEDA's "real risk of significant harm" standard is being applied with increasing rigour by the OPC, and Bill C-27, currently in Parliament, will tighten federal obligations further. Regulators in enforcement proceedings look for two things: whether you had a plan before the incident, and whether you followed it. Having neither converts a manageable regulatory interaction into a public finding.

Cyber insurers require it. The Canadian cyber insurance market has fundamentally restructured since 2021. Underwriters now require, as a condition of both issuance and renewal: MFA on email and remote access, tested isolated backups, an EDR solution on all endpoints, and a documented, tested incident response plan. Applications without an IRP receive either significantly higher premiums or outright declinations. More critically, claims can be partially or fully denied when insurers find that the organization had no documented response procedure and that its improvised actions during the incident caused additional data exposure or compliance failures. Your IR plan is not just a security document — it is a claims-defence document.

The combined effect of these three pressures means that an IR plan is now as fundamental to running a Canadian business that handles data as having a fire evacuation plan is to running a building. It is no longer a question of best practice; it is a question of regulatory compliance, insurance coverage, and operational survival.

The Four Phases of NIST SP 800-61r2: Canada's Incident Response Standard

The National Institute of Standards and Technology's Computer Security Incident Handling Guide (NIST SP 800-61, revision 2) is the international reference framework for incident response. Canadian regulators, insurers, auditors, and security practitioners universally recognize it as the benchmark for a credible IR program. Its four-phase structure provides the skeleton on which every IR plan should be built.

Phase 1: Preparation. This is everything that happens before an incident occurs. Preparation includes building the IR plan itself, developing scenario playbooks, running tabletop exercises, establishing communication channels, pre-authorizing response actions, assembling contact lists (legal counsel, insurer hotline, forensic IR firm, PR advisor, key regulators), and putting technical controls in place that make detection faster and containment more effective. The CSE's Cyber Hygiene Recommendations (available at cyber.gc.ca) map directly onto the Preparation phase — organizations that implement the CSE's baseline controls detect and contain incidents faster and with lower total cost. Preparation is the phase where all the leverage is; the other three phases are where you spend it.

Phase 2: Detection and Analysis. An incident begins not when the attacker enters your environment but when your team detects and confirms the event. Many Canadian SMBs discover breaches days or weeks after initial compromise — the average dwell time for ransomware actors in Canada is 14 days before encryption (Mandiant M-Trends 2024). The Detection and Analysis phase defines: what sources generate alerts (EDR, email security gateway, backup monitoring, user reports), who receives those alerts, how they are triaged, what constitutes an incident versus a lower-severity event, and how severity is classified. The phase ends with a confirmed scope of impact — what systems are affected, what data was accessed, what the attack vector appears to be — which then drives all subsequent decisions.

Phase 3: Containment, Eradication, and Recovery. This is the operational core of the incident response. Containment stops the bleeding: isolate affected systems, revoke compromised credentials, block attacker command-and-control infrastructure, preserve forensic evidence. Eradication removes the threat: identify and remove malware, close the initial access vector, harden the environment against re-entry. Recovery restores operations: rebuild from clean backups, validate integrity of recovered systems, gradually restore network connectivity with monitoring in place. The IR plan must define decision authority at each step — who can authorize taking a production system offline, who signs off on paying a ransom, who approves restoring a system before forensics is complete. Ambiguity in authority during an active incident is one of the most common sources of extended downtime.

Phase 4: Post-Incident Activity. After the immediate crisis is contained, the plan drives a structured review: root-cause analysis, regulatory notification completion, insurance claim documentation, lessons-learned report, and plan update. The post-incident review is where the organization captures institutional knowledge — what the attacker did, how they got in, what slowed containment, what would have been done differently — and converts it into improvements to the plan, the technical environment, and staff training. Organizations that skip the post-incident review repeat the same failures in the next incident. The lessons-learned report is also documentary evidence that regulators and insurers find useful in demonstrating a functioning security program.

IR Plan Development: What a Complete Document Contains

A credible incident response plan is not a generic template downloaded from the internet and filled in with your company name. It is a document built from your specific environment, your specific regulatory obligations, your specific staff structure, and your specific suppliers. The following are the required components — their absence is a red flag regardless of how polished the document looks.

Scope and purpose statement. What the plan covers, what it does not, and who it applies to. Includes the definition of a "security incident" for your organization — a standard that distinguishes a reportable event from normal IT noise.

Incident response team (IRT) roster. Named roles with specific responsibilities, backup contacts for each role, and pre-authorized decision authority. Critical roles include: Incident Commander (the person who declares an incident and owns the response), Technical Lead (who directs containment and forensics), Legal Counsel contact (internal or external — must be pre-identified, not looked up during the incident), Privacy Officer (who owns PIPEDA and Law 25 notification), Communications Lead (who handles internal communications and any external statements), and Executive Sponsor (who authorizes extraordinary expenditures). For a 20-person SMB, several of these roles will be held by the same individual — that is fine, as long as the document says so explicitly.

Incident classification and severity matrix. A structured system for rating incident severity — typically P1 through P4 or Critical/High/Medium/Low — with specific criteria for each level and defined response time commitments per severity. P1/Critical might be: active ransomware encryption, confirmed data exfiltration of personal information, or complete loss of a production system that cannot be brought down for maintenance. The matrix drives escalation: a P3 event is handled by IT; a P1 triggers the full IRT and legal notification review within two hours.

Communication procedures and templates. Pre-drafted notification templates for: internal staff notification, affected-individual breach notification (required under PIPEDA and Law 25 when harm thresholds are met), OPC breach report, CAI 72-hour notification, law enforcement referral, and cyber insurance initial claim notification. These templates should be reviewed by legal counsel before the incident, not written during one.

Evidence preservation procedures. Step-by-step instructions for capturing and preserving forensic evidence: memory dumps, disk images, log exports, email header preservation. These procedures must be documented because a non-technical staff member may need to execute them before a forensics specialist is on-site. Destroying or failing to preserve evidence can compromise legal options, insurance claims, and law enforcement investigations.

Recovery and business continuity integration. How the IR plan interfaces with your business continuity plan and disaster recovery plan — specifically, at what point in the incident lifecycle the recovery phase begins and who authorizes each stage of restoration. See our business backup and disaster recovery guide for how backup architecture affects recovery time objectives during an active incident.

Plan maintenance schedule. IR plans that are not reviewed and updated become actively dangerous — they reference systems, contacts, and vendors that no longer exist. The plan must specify a review cadence (at minimum annually, and after any significant infrastructure change or after any actual incident), a named owner responsible for reviews, and a version-control log.

Incident Response Playbooks: Scenario-Specific Guides That Save Hours

An IR plan defines the overall framework. Playbooks define the precise steps for specific incident types. The distinction matters in practice: when ransomware is actively encrypting your file server at 2 a.m., your IT contact does not want to read the full IR plan to find the relevant section. They want a two-page, ordered procedure that tells them exactly what to do in the next 30 minutes. That is a playbook.

Each playbook follows a consistent structure: detection indicators (how you know you are dealing with this incident type), immediate containment actions, evidence-preservation steps, escalation triggers, external notification checklist, and recovery sequence. The playbook also specifies which sections of the general IR plan apply — it cross-references rather than duplicates.

The five essential playbooks for a Canadian SMB, in priority order, are:

Ransomware. The most destructive and most common. Covers: identifying the encryption event (file-extension changes, volume shadow copy deletion alerts, EDR alerts), immediate isolation of affected segments, backup integrity verification, decision tree for ransom negotiation versus recovery, Law 25 and PIPEDA breach assessment given that ransomware constitutes a confidentiality incident under Law 25 regardless of whether data was exfiltrated.

Business email compromise (BEC). A targeted attack in which an attacker gains access to a business email account and uses it for fraud — redirecting wire transfers, requesting gift cards, impersonating executives. BEC losses in Canada exceeded CA$70 million in 2023 according to the Canadian Anti-Fraud Centre. The playbook covers: suspicious email detection, account isolation, financial institution notification, client notification where funds were fraudulently requested, and account forensics to determine scope of access.

Phishing with credential harvest. When a staff member clicks a phishing link and submits credentials. Covers: credential revocation, session invalidation, scope assessment (what systems could the compromised account access?), MFA status review, user communication, and broader environment scan for lateral movement.

Data exfiltration or insider threat. When personal data or confidential business data leaves the organization — either through an external attacker or an employee action. Covers: data classification and scope assessment, affected-individual identification, PIPEDA and Law 25 notification assessment and timeline, legal hold procedures, and HR coordination where the insider dimension is confirmed.

Cloud account takeover. Unauthorized access to your Microsoft 365, Azure, Google Workspace, or AWS environment. Given that most Canadian SMBs now run their entire business in Microsoft 365, this playbook has become as important as the ransomware playbook. Covers: Entra ID sign-in log review, conditional-access lockdown, OAuth app review, mailbox rule audit, and Microsoft Secure Score reassessment post-incident.

Organizations in specific sectors will need additional playbooks: a healthcare provider needs a health-data-breach playbook that addresses provincial health privacy legislation; a law firm needs a solicitor-client privilege preservation procedure; a financial services firm needs an OSFI incident notification process. Playbooks are not one-size-fits-all — they are built around your specific environment and obligations. See our endpoint protection guide for how EDR tooling generates the detection signals that trigger your playbooks.

Tabletop Exercises: The Highest-Leverage Hour in Cybersecurity

A tabletop exercise is a facilitated discussion in which your leadership and response team works through a realistic incident scenario without touching live systems. There is no coding, no network action, no actual system intervention — just conversation, decision, and documentation of what your team actually did versus what the plan says they should do. The gap between the two is where every worthwhile incident response investment gets made.

Tabletop exercises consistently surface three categories of problems that document review never catches. Role confusion — the IT contact assumes the owner will call the insurer; the owner assumes IT already did. Decision authority gaps — nobody knows who can authorize taking the ERP offline, so the decision stalls for six hours while the ransomware keeps encrypting. Communication breakdowns — the team discovers mid-exercise that the insurer's emergency hotline number is in the admin assistant's laptop that was encrypted in hour one.

A well-designed tabletop exercise for a Canadian SMB runs two to four hours with four to eight participants: the owner or CEO, operations lead, IT contact (internal or MSP), legal counsel (by phone if necessary), and whoever serves as privacy officer. The facilitator introduces the scenario — typically ransomware, because it is the most instructive and most common — and then drives the team through the NIST phases using inject events: "It is now hour two. Your backup verification reveals the ransomware has been in the environment for 11 days and has compromised your backup targets. What do you do?" Each inject forces a real decision under realistic time pressure.

The output of a tabletop exercise is a written findings report that documents every gap identified, every decision that was unclear, and every plan section that needs updating. The report becomes the immediate action list for the plan revision that always follows a tabletop. Canadian cyber insurers increasingly ask for tabletop documentation at renewal — the ability to produce a signed findings report from a recent exercise is tangible evidence of a functioning IR program, not just a document.

Security frameworks including NIST CSF 2.0 and CIS Controls v8 both recommend annual tabletop exercises as a minimum for organizations handling personal or sensitive data. Organizations in regulated sectors — healthcare, finance, legal — should run two per year: one scenario familiar to the team (ransomware) and one that is less practiced (insider threat, supply-chain compromise) to avoid the false confidence that comes from rehearsing only the scenarios you have already learned. Our cybersecurity hub covers additional security-awareness training approaches that complement tabletop exercises at the staff level.

How We Build Your IR Plan: Step by Step

TechCare Canada's IR plan engagements follow a structured process built on the NIST SP 800-61r2 framework and calibrated to the regulatory obligations — PIPEDA, Law 25 — that apply to your specific business. Here is the full sequence for a standard SMB engagement:

1. Scoping call (Day 1, ~90 minutes). We establish the boundary of the engagement: how many employees, what systems and data types, which sites and cloud environments, which regulatory frameworks apply (PIPEDA, Law 25, sector-specific), and what existing IR documentation — if any — is already in place. We also identify all key roles to be filled in the IRT roster and confirm the engagement timeline.
2. Environment and document intake (Days 1–3). We review your current IT environment summary (from your MSP or internal IT team), existing security policies, insurance policy terms and endorsements, any previous risk assessments, and any prior incident records. We request read-only access to your Microsoft 365 Secure Score and, if available, your EDR management console — not to modify anything, but to understand what detection capability is already in place and how alerts currently route.
3. IR plan drafting (Days 3–8). We draft the full IR plan document: scope, IRT roster, severity classification matrix, phase-by-phase procedures, communication templates (internal, OPC, CAI, insurer, affected-individual notification), evidence-preservation procedures, and recovery integration. The draft is built for your specific environment — not a generic template with your name inserted.
4. Playbook development (Days 6–10). We develop scenario-specific playbooks for your confirmed priority scenarios — typically ransomware, BEC, phishing, and cloud account takeover as a baseline, plus any sector-specific scenarios your regulatory or insurer requirements flag. Each playbook is reviewed against your actual environment to ensure the detection indicators and containment steps match what you can actually execute.
5. Legal and privacy review (Days 8–12). We provide the draft plan and notification templates to your legal counsel for review. This step is non-negotiable — the communication templates and notification timelines have legal implications under PIPEDA and Law 25, and only your legal counsel can confirm they are appropriate for your specific circumstances. We facilitate the review and incorporate feedback.
6. Internal walkthrough (Day 12, ~2 hours). We walk the IRT through the complete plan — not as a formal tabletop, but as a structured orientation to ensure every named role understands their responsibilities, knows where the document lives, and can locate the critical information they will need in the first 30 minutes of an incident. Action items from the walkthrough are incorporated into the plan before final delivery.
7. Tabletop exercise (Day 14–16, half-day). For engagements that include a tabletop, we design and facilitate the exercise using a scenario tuned to your industry and known threat profile. The exercise is followed by a written findings report within five business days. Findings drive a final plan revision.
8. Final delivery and handoff (Day 16–20). Final versions of the IR plan and all playbooks are delivered in editable format (Word and PDF), along with a version control log and a recommended annual review calendar. We conduct a 30-minute handoff call with the designated plan owner and confirm the plan is stored in at least two locations that will be accessible when your primary systems are down — typically a printed copy in a physical location and a copy in a cloud drive accessible from a personal device.

The total engagement timeline for a standard SMB is three to four weeks. Organizations that also engage us for ongoing IR retainer services receive a prioritized scheduling slot and annual plan reviews as part of the retainer scope.

PIPEDA and Law 25 Breach Reporting: Timelines and Obligations

Breach notification in Canada is governed by two primary legal frameworks, and your IR plan must address both explicitly. Missing a notification deadline — or notifying the wrong body, in the wrong format, at the wrong time — converts a technical incident into a regulatory enforcement matter.

PIPEDA (federal — applies nationwide to most private-sector organizations). Under the federal breach-notification regulations in force since 2018, organizations must report a breach to the OPC (priv.gc.ca) "as soon as feasible" after determining that the breach creates a "real risk of significant harm" to individuals. The regulations define real risk of significant harm by reference to a non-exhaustive list of factors including: the sensitivity of the personal information involved, the probability of misuse, the number of individuals affected, and the nature of the harm (bodily harm, humiliation, financial loss, identity theft, damage to reputation). There is no fixed 72-hour clock under PIPEDA — "as soon as feasible" has been interpreted by the OPC to mean within days of confirmed scope, not weeks. Your IR plan must include a harm-assessment checklist that your Privacy Officer runs within 24 hours of breach confirmation to determine whether the PIPEDA threshold is met. You must also notify affected individuals directly when the real-risk-of-significant-harm threshold is met, using plain language that allows them to take protective action. All breaches, regardless of whether notification is required, must be recorded in an internal breach log maintained for at least 24 months.

Quebec Law 25 (provincial — applies to organizations collecting personal information of Quebec residents). The Law 25 standard is strictly harder. Any confidentiality incident — defined as any unauthorized access to, use of, or communication of personal information — must be reported to the Commission d'accès à l'information (CAI) within 72 hours of the organization becoming aware of it. This is not conditional on a harm assessment; the notification obligation attaches to the awareness of the incident itself, not to a determination that harm is likely. The CAI form requires: a description of the incident, the personal information involved, the approximate number of individuals affected, and the measures taken or planned to reduce the risk of harm and prevent similar incidents. Affected individuals must also be notified directly "with diligence" when there is a risk of serious injury. Administrative monetary penalties under Law 25 reach up to 4% of worldwide annual turnover or CA$25 million — the CAI issued its first formal penalty under the new framework in 2024, and active enforcement is now underway.

What this means for your IR plan. Your plan must contain: a named Privacy Officer with clear authority to initiate notifications, a dual-track notification checklist (PIPEDA harm assessment + Law 25 72-hour trigger), pre-drafted notification letters and CAI report templates reviewed by legal counsel, a breach-log template, and a documented decision tree that tells the Privacy Officer exactly when each obligation is triggered. The decision tree must be simple enough to execute at 3 a.m. on a Saturday when your legal counsel is unreachable, which is why legal review of the templates before the incident is essential. See our detailed Law 25 compliance guide for the full regulatory obligations and how to structure your privacy officer role to meet both frameworks simultaneously.

Organizations that handle health data in provinces with dedicated health privacy legislation (PHIPA in Ontario, HIA in Alberta, PHIA in Manitoba) face additional notification obligations layered on top of PIPEDA and Law 25. Your IR plan must identify every applicable regime and name the regulator for each.

IR Retainer Services: On-Call Response When the Incident Happens

An IR plan tells your team what to do. An IR retainer ensures that when the plan calls for expert outside help, that help arrives in hours, not days. A retainer is a pre-negotiated contract with an incident response provider that guarantees priority access, a defined response time commitment, and rates that are locked in advance — rather than the emergency hourly rates of an unknown vendor contacted in the middle of a ransomware event.

The economic logic of a retainer is straightforward. Emergency IR rates without a retainer run CA$350–$600 per hour per responder, with a minimum engagement of typically CA$15,000–$25,000 for a P1 incident. Availability at short notice is not guaranteed — qualified IR firms have finite capacity, and major incidents in Canada often occur in clusters that create queue times. A retainer client gets a guaranteed response time (commonly four to eight hours for a P1 breach declaration), a pre-negotiated rate (typically CA$250–$400 per hour within retainer scope), an environment-onboarding session so the responders already know your systems before the incident, and an annual plan review and tabletop exercise included in the retainer fee. For organizations whose cyber insurance policy includes a coinsurance clause or requires demonstrable IR capability, a retainer agreement can also satisfy that requirement.

IR retainer services complement — they do not replace — your internal IR plan and your managed IT provider's day-to-day security monitoring. For organizations that want the on-site technical execution layer alongside the strategic planning, IT Cares provides hands-on breach containment and remediation services for Canadian businesses, pairing with the documented plan to execute the containment steps your playbooks define. The retainer handles the expertise; your plan handles the authority and communication sequences that no outside firm can execute on your behalf.

Canadian cyber insurers also maintain preferred IR vendor panels. If your policy names a preferred vendor, engaging them first — even before your own IR retainer provider — may be a condition of claim eligibility. Your IR plan must document your insurer's requirements and the sequence for engaging your insurer versus your retainer provider. That sequence should be resolved during the engagement, not improvised during the incident.

IR Plan and Retainer Pricing in Canada — 2026 Benchmarks

Canadian pricing for incident response planning and retainer services has become more consistent over the past two years as the market has matured. The figures below reflect the 2026 market for qualified SMB-focused IR service providers — not enterprise Big Four consultancies, whose pricing is typically three to five times higher for comparable scope, and not generalist IT vendors offering a template document as an "IR plan service." Fixed-fee, scoped engagements with defined deliverables consistently outperform hourly billing — demand a fixed fee and a statement of work before signing.

The economics are straightforward: a full engagement at CA$12,000 costs less than two hours of emergency IR response during a major ransomware event. Organizations in cities with higher consultant density — Toronto, Vancouver, Montréal, Ottawa, Calgary — have more provider options and slightly more competitive pricing. Smaller markets (Halifax, Winnipeg, Québec City, Regina) may see 10–15% premium for on-site services, though most plan-development work is conducted remotely regardless of location.

In-House IR Capability vs. Outsourced Response — Side-by-Side Comparison

Most Canadian SMBs face a realistic choice between three approaches to incident response capability. Understanding the trade-offs clearly helps leadership make a budget decision they can defend to their board, their insurer, and their regulator.

For most Canadian SMBs between 20 and 150 employees that handle personal information, sensitive client data, or payment card data, the plan-plus-retainer model delivers the strongest risk-adjusted outcome. The "no plan, emergency-only" column represents the current state for the majority of SMBs — and the emergency cost figures are real. A single ransomware event handled without a plan or retainer regularly costs CA$50,000–$200,000 in total recovery costs when downtime, IT remediation, legal fees, and regulatory engagement are included.

IR Plan Checklist for Canadian SMBs

Use this checklist to evaluate an existing IR plan or to verify the completeness of a plan delivered by a provider. Every item on this list is a documented requirement under NIST SP 800-61r2, PIPEDA, Law 25, or standard cyber insurance underwriting criteria. Any "No" answer represents a gap that should be remediated before the plan is considered ready for use.

• ☐ Incident response team roster with named individuals and backup contacts for each role
• ☐ Documented decision authority — who can declare a P1, who can authorize system isolation, who can approve ransom negotiation
• ☐ Incident severity classification matrix with defined criteria for each level
• ☐ PIPEDA real-risk-of-significant-harm assessment checklist
• ☐ Law 25 72-hour CAI notification trigger and checklist (if applicable to Quebec residents)
• ☐ Pre-drafted OPC breach report template, reviewed by legal counsel
• ☐ Pre-drafted CAI notification template, reviewed by legal counsel
• ☐ Pre-drafted affected-individual notification letter, reviewed by legal counsel
• ☐ Cyber insurer emergency hotline number and required notification sequence documented
• ☐ Evidence-preservation procedures (memory dump, disk image, log export instructions)
• ☐ At minimum one playbook per: ransomware, BEC, phishing/credential harvest
• ☐ Plan stored in at least two locations accessible when primary systems are down
• ☐ Tabletop exercise completed in the last 12 months, with written findings report
• ☐ Annual review schedule documented, with named plan owner
• ☐ Internal breach log template, with 24-month retention policy
• ☐ Legal counsel emergency contact pre-identified and available outside business hours
• ☐ Recovery and backup restoration procedures documented and tested in the last 90 days
• ☐ Staff notification procedure for non-IRT employees during an active incident

This checklist covers the baseline requirements. Organizations in regulated sectors (healthcare, finance, legal) will have additional items driven by their specific regulatory obligations. The checklist should be reviewed by your legal counsel before being finalized — the notification items in particular carry legal precision requirements that a technical checklist cannot substitute for.

Common Mistakes in Incident Response Planning

Most IR plan failures in Canadian SMBs are not technical. They are organizational, and they are predictable. Understanding them in advance is the most efficient way to avoid them.

Building the plan with IT alone. Incident response is not an IT problem — it is a business problem that IT is part of. A plan built exclusively by the IT contact will have excellent technical containment steps and no decision tree for when to notify the CEO, who calls the insurer, or how to handle media inquiries. The business owner, legal counsel, and privacy officer must be engaged in plan development, not just handed the finished document.

Storing the plan only on systems that may be compromised. A ransomware event that encrypts your file server also encrypts your network share where the IR plan lives. Every organization must maintain a copy of their IR plan in at least two locations that are independent of the primary network: a printed binder in a physical location, and a copy in a personal cloud drive (personal Microsoft account or Google Drive) accessible from a personal device. This sounds trivially obvious, and it is overlooked in approximately half of first-time IR plan reviews.

Writing the plan without legal review. The notification templates — the OPC breach report, the CAI 72-hour notification, the affected-individual letter — have legal implications that a security consultant cannot fully anticipate. Statements made in a notification template can become admissions in regulatory proceedings or litigation. Your legal counsel must review every template before it is finalized. This review typically costs CA$500–$1,500 in lawyer time and can prevent consequences that cost orders of magnitude more.

Never running a tabletop exercise. A plan that has never been practiced is a document, not a capability. The role confusion, communication gaps, and authority ambiguities that a tabletop surfaces in a controlled two-hour environment will surface in an uncontrolled way during a real incident — at maximum cost and minimum ability to course-correct. Every IR plan should be tested within 30 days of completion and annually thereafter.

Letting the plan go stale. An IR plan built in 2022 references the IT environment, staff roster, insurer, and vendor contacts of 2022. If your organization has changed cloud platforms, changed MSPs, had staff turnover in key IRT roles, or changed your cyber insurance carrier, your plan may direct people to contact individuals or systems that no longer exist in that role. Most IR plans should be reviewed every 12 months and after any significant infrastructure change. The plan owner — whoever that role is assigned to — must treat the annual review as a non-negotiable calendar item, not a nice-to-have.

Confusing the IR plan with a business continuity plan. These are related but distinct documents with different scopes. The IR plan covers the security response — containment, eradication, forensics, regulatory notification. The business continuity plan covers operational continuity — how you keep serving clients while systems are compromised or under restoration. Your organization needs both, and they need to reference each other clearly at the handoff points. See our backup and disaster recovery guide for the recovery-side planning that complements your IR plan.

Case Study: Ransomware at a Toronto Distribution Company (2025)

The following is a composite case study based on a typical first-response engagement profile for a Canadian distribution company. Identifying details have been modified.

The client: A 42-person logistics and distribution company in the Greater Toronto Area, operating a warehouse management system (WMS) and customer portal. Annual revenue approximately CA$8.5M. A managed IT provider handled day-to-day support; no dedicated security staff. No IR plan on file. Cyber insurance in place with a CA$500,000 limit and a CA$50,000 retention (deductible). The insurer's renewal questionnaire, received three months earlier, had included a checkbox for "documented incident response plan" — the IT manager had checked Yes.

The incident: On a Tuesday morning, staff arrived to find the WMS inaccessible and file-share drives displaying encrypted files with a ransom note. The ransomware had been in the environment for nine days, delivered via a phishing email that had harvested the IT manager's Microsoft 365 credentials. The attackers had used those credentials to access the company's remote management tool, disable the EDR agent on the file server, and deploy the ransomware payload. Backups on the network-attached storage device had also been encrypted — the device was not isolated from the production network.

What happened without a plan: Three hours were lost to confusion over who had authority to take systems offline. The managed IT provider was called but was responding to two other client emergencies simultaneously. The business owner called the insurer at hour four; the insurer directed them to the claims portal rather than an emergency hotline because the policy did not include incident response support. By the time an emergency IR firm was engaged at hour six, the Windows Volume Shadow Copies — which could have provided a partial recovery path — had been identified as deleted. Legal counsel was not engaged until day two; the Law 25 assessment (the company served multiple Quebec clients) was not initiated until day three, at which point the 72-hour CAI notification window had already closed.

The outcome and costs: Recovery took 12 business days. Total costs: CA$22,000 in emergency IR firm fees, CA$14,000 in MSP overtime and system rebuilds, CA$31,000 in estimated lost revenue during the outage, CA$8,500 in legal and regulatory costs, and CA$4,200 in notification administration. Total: CA$79,700. The insurer paid CA$29,700 after applying the deductible — leaving the company absorbing CA$50,000 in out-of-pocket losses. The CAI issued a compliance order for the missed notification window. The insurer's next renewal included a specific requirement for a documented, tested IR plan as a condition of coverage — effectively mandating what should have been in place before the event.

What the plan would have changed: An IR plan with named roles, a decision-authority matrix, and the insurer's emergency number as a Day 1 call would have eliminated the three hours of authority confusion. A tabletop exercise would have surfaced the backup isolation gap months earlier. Pre-drafted Law 25 notification templates would have met the 72-hour window. Total estimated cost reduction: CA$35,000–$45,000 — roughly four times the cost of building the plan in the first place. The plan also would have prevented the compliance order, which carries its own ongoing administrative burden. The IR plan engagement after the fact cost CA$6,800. That number would have been the same before the incident.

Related Guides

• Small Business Cybersecurity Hub →
• Cybersecurity Consulting Services Canada →
• Quebec Law 25 Compliance Guide →
• Business Backup & Disaster Recovery →
• Endpoint Protection Services Canada →
• Email Security Services Canada →
• Cybersecurity Services Canada — Provider Guide →

FAQ

Frequently Asked Questions