Who you notify — and when — has legal and financial consequences

Notifications are legally required — and time-sensitive

A ransomware attack is not just an IT incident. Depending on your industry, the type of data affected, and your jurisdiction, you may have legal obligations to notify regulators, affected individuals, law enforcement, and your cyber insurance carrier — all within specific timeframes. Missing these windows can result in regulatory fines, insurance claim denials, and legal liability that significantly compounds the cost of the attack.

Internal leadership and legal counsel — immediately

Your executive leadership and legal counsel should be notified as soon as the attack is confirmed — before most other notifications. Legal counsel needs to be involved early to:

• Assess which regulatory notification obligations apply
• Preserve attorney-client privilege over incident communications where possible
• Guide decisions about ransom payment (which has legal implications under OFAC regulations)
• Advise on communications to employees, clients, and vendors

Cyber insurance carrier — promptly, per your policy

Most cyber insurance policies require prompt notification after a covered incident — often within 24–72 hours. Review your policy immediately and contact your carrier or broker. Delayed notification is one of the most common reasons cyber insurance claims are denied or reduced.

Your carrier will typically provide access to their incident response panel — forensic investigators, legal counsel, and sometimes a public relations firm. Using these resources is usually covered under your policy and can significantly reduce out-of-pocket costs.

Law enforcement — FBI IC3

Report the attack to the FBI's Internet Crime Complaint Center at ic3.gov. Law enforcement reporting is voluntary but strongly recommended. The FBI has ransomware decryption keys for some variants, can share threat intelligence, and tracks ransomware groups — your report contributes to investigations that may ultimately disrupt the attackers.

Local law enforcement may also be appropriate depending on the nature and scale of the attack.

Regulatory notifications

If any personal, financial, or health information may have been exposed, you may have mandatory regulatory notification obligations:

NYDFS Part 500 (NY-licensed financial entities)

Covered entities must notify NYDFS of a "cybersecurity event" within 72 hours of determining it qualifies as a reportable event. A ransomware attack affecting nonpublic information almost certainly qualifies. The notification is made through the NYDFS Cybersecurity portal.

HIPAA (healthcare organizations)

A ransomware attack affecting PHI (Protected Health Information) is presumed to be a breach under HIPAA unless you can demonstrate a low probability that PHI was compromised. You must notify HHS within 60 days of discovering the breach. If 500 or more individuals in a state are affected, you must also notify prominent media outlets in that state. Individual affected patients must be notified without unreasonable delay.

CT Breach Notification Law

Connecticut requires notification to affected Connecticut residents "in the most expedient time possible" following discovery of a breach of computerized data containing personal information. You must also notify the Connecticut Attorney General if the breach affects more than 500 Connecticut residents.

NY SHIELD Act

New York's SHIELD Act requires notification to affected New York residents "in the most expedient time possible and without unreasonable delay" following discovery of a breach of private information.

Affected clients, patients, or partners

Beyond regulatory requirements, your legal counsel will advise on whether direct notification to affected clients or partners is appropriate. In many cases, proactive communication — before you're legally required to notify — can preserve trust and reduce long-term reputational damage.