A cyber emergency contact list is a pre-assembled directory of internal and external parties who need to be contacted during a cybersecurity incident. During the chaos of an active breach, searching for phone numbers, email addresses, and account information wastes critical time. Having this information compiled, current, and accessible before an incident occurs enables a faster, more coordinated response.
The contact list should include internal contacts (CEO, CFO, CISO or IT lead, legal counsel, HR, communications), external contacts (cyber insurance carrier and policy number, breach response attorney, forensics firm, managed security provider), and regulatory contacts (relevant regulators, law enforcement, breach notification entities). Each entry should include the individual's name, role, phone number, email, and the circumstances under which they should be contacted.
The contact list must be accessible during the incident, which means it cannot live solely on systems that may be compromised. Printed copies should be distributed to key personnel, digital copies should be stored on personal devices or in a secure cloud location separate from the corporate environment, and the list should be included with offline copies of the incident response plan.
The contact list should be reviewed and updated quarterly. Personnel changes, vendor changes, and insurance renewals can all render contact information stale. Assigning a specific individual to maintain the list ensures that updates happen on schedule. After any actual incident, the contact list should be reviewed for accuracy based on the experience of attempting to reach the listed parties.
Insurance carriers want to be notified promptly when incidents occur, and the emergency contact list is where that notification process begins. Applications may not ask about the contact list specifically, but carriers expect that their claims line and policy number are accessible to the response team during an incident.
Delayed notification to the insurer can complicate claims and, in some cases, jeopardize coverage under policy terms. Including the insurance carrier's contact information, including after-hours claims numbers, in the emergency contact list ensures that notification happens early in the response process.
Healthcare emergency contacts should include the HHS OCR breach reporting portal information, state health department notification contacts, and any Health Information Sharing and Analysis Center (H-ISAC) resources. Clinical leadership should also be included for incidents that may affect patient care systems.
Law firm emergency contact lists should include the firm's designated breach response counsel (typically a different firm to maintain privilege), malpractice insurer, and the state bar ethics hotline. The list should also include contacts for clients who may need to be notified if their data is affected.
Financial institution emergency contacts must include relevant regulators (OCC, FDIC, Federal Reserve, state regulators), card brand notification contacts for PCI incidents, and the institution's BSA/AML officer if the incident may involve financial crime. FinCEN SAR filing information should also be accessible.
Retail emergency contacts should include card brand notification numbers (Visa, Mastercard, etc.), the acquiring bank, and PCI forensic investigator (PFI) contact information. For franchise operations, the franchisor's security team should be on the list with escalation procedures.
Government contractor emergency contacts must include the contracting officer, DIBCIS reporting portal information for DFARS 252.204-7012 compliance (72-hour reporting requirement), and CISA incident reporting contacts. The organizational ISSO and ISSM should be primary contacts.
Compile a comprehensive contact list including internal leadership, external vendors, insurance carrier, and regulators
Include after-hours and emergency phone numbers for all critical contacts
Distribute printed copies to all members of the incident response team
Store digital copies on personal devices and in a secure cloud location separate from corporate infrastructure
Review and update the contact list quarterly, assigning ownership to a specific individual
Want to know how your organization measures up on this control?
Take the free assessment →