Written by Mike Pearlstein, CISSP, CEO of Fusion Computing Limited. Helping Canadian businesses build and manage secure IT infrastructure since 2012 across Toronto, Hamilton, and Metro Vancouver.
KEY TAKEAWAYS
- An incident response plan is a documented playbook organized around the six NIST SP 800-61 r2 phases.
- About 11% of Canadian SMBs maintain a formal IRP; roughly half have nothing written down.
- PIPEDA requires notifying the OPC and affected individuals as soon as feasible when a breach creates real risk of significant harm.
- Tabletop exercises run twice per year expose gaps before a real incident does, and most carriers now ask for the date on renewal.
- Across Fusion Computing’s 47 Canadian SMB engagements through Q1 2026, only 6 clients had a contact list that survived a phone test on first attempt.
Book an IT Business Assessment
What is an incident response plan, and why every Canadian SMB needs one in 2026?
An incident response plan (IRP) is a documented playbook that defines who does what when a cybersecurity incident happens, from first alert through containment, eradication, recovery, and post-incident review. The plan names roles, lists verified contacts, sets severity thresholds, and provides communication templates so a Canadian small business does not improvise through ransomware or business email compromise at 2 a.m.
Every Canadian organization handling customer data, employee records, or payment information needs one. CIRA’s 2025 Canadian Cybersecurity Survey reports 44% of Canadian organizations experienced a cyber incident in the prior 12 months. IBM’s 2025 Cost of a Data Breach study pegs the global average breach at USD 4.88 million.
For a 30-person firm, a week of downtime, a forced domain-controller rebuild, and a notification mail-out to 4,000 customers runs six figures before anyone counts lost trust. A tested plan compresses the timeline. Pair it with managed detection and response and median containment drops from weeks to hours. A practical SMB plan is 8 to 15 pages, scoped through managed cybersecurity services.
The 6 phases of incident response (NIST SP 800-61 r2 framing)
The NIST Computer Security Incident Handling Guide (SP 800-61 r2) is the reference model used by Canadian regulators, auditors, and cyber insurers. Each phase has a clear exit criterion, which is what stops a 3 a.m. response from drifting into improvisation. The table below adapts the framework for an SMB context.
| Phase | Activities | Owner | Output |
|---|---|---|---|
| 1. Preparation | Define team, draft playbook, deploy EDR, MFA, and backups, run drills. | IT manager + MSP | Approved IRP, drill log |
| 2. Detection & Analysis | Confirm alert, classify severity, scope affected systems, open ticket. | Technical lead | Severity rating, scope memo |
| 3. Containment | Isolate hosts, disable accounts, preserve evidence, hold communications. | Incident commander | Containment timestamp, evidence chain |
| 4. Eradication | Remove malware, kill persistence, rotate credentials, patch root cause. | Technical lead + MSP | Clean-system attestation |
| 5. Recovery | Restore from clean backups, monitor, validate, resume operations. | IT manager | Restored services, RTO/RPO log |
| 6. Post-Incident Review | Document timeline, capture lessons, update plan within 30 days. | Executive sponsor | After-action report, plan v.next |
The detection-to-containment gap is where most Canadian SMB incidents go from minor to material. Microsoft Sentinel, Microsoft Defender XDR, SentinelOne Singularity, and Huntress shrink that gap when paired with CISSP-led on-call. KnowBe4 PhishER routes phishing-detection alerts into the same evidence trail.
Roles and responsibilities to define before an incident
An effective IRP names four to five response roles, each with a primary owner and a backup, and writes the decision rights into the document. Without named owners the plan becomes shelfware and the first hour of the incident is spent in a meeting instead of in containment.
| Role | Typical SMB owner | Decision rights |
|---|---|---|
| Incident commander | IT manager or CEO | Declares severity, authorizes isolation, owns timeline |
| Technical lead | Senior systems engineer or MSP on-call | Executes containment, eradication, restore |
| Communications lead | COO or marketing director | Approves customer, staff, and media messages |
| Legal & privacy lead | External counsel or fractional DPO | Calls RROSH, signs OPC and provincial filings |
| Executive sponsor | CEO or owner | Approves ransom posture, insurance notice, board update |
The contact list lives next to the role table. Phone, email, and after-hours numbers for the response team, MSP, legal counsel, insurance broker, the OPC, and the local RCMP cybercrime unit. Print it. Test it quarterly with a one-minute call.
The Canadian regulatory clock (PIPEDA 72 hours, Bill C-8 cyber security incident reporting, IPC Ontario for PHI)
Canada has no single breach clock; the obligation depends on the data, the sector, and the province. The IRP should pre-classify incidents against each regime so the legal and privacy lead knows which clock starts when.
| Regime | Trigger | Notification clock | Recipient |
|---|---|---|---|
| PIPEDA | Breach with real risk of significant harm | As soon as feasible (treat as 72 hours) | OPC + affected individuals |
| Bill C-8 (CCSPA) | Cyber security incident at a designated operator | Without delay to CCCS; written report after | Canadian Centre for Cyber Security + sector regulator |
| PHIPA (Ontario) | Theft, loss, or unauthorized use of PHI | At first reasonable opportunity | IPC Ontario + the patient |
| OSFI E-21 | Operational or cyber disruption at FRFI | Within 24 hours of classification | OSFI lead supervisor |
| Cyber insurance | Suspected covered event | Per policy (usually 24 to 72 hours) | Broker + carrier breach hotline |
Quebec’s Law 25 and BC PIPA add their own duties. The IRP should hold a one-page jurisdiction map so the legal lead is not interpreting statutes during containment. PIPEDA also requires every breach, reportable or not, to be logged in an internal register retained at least 24 months. Failure to log can itself become the violation. See Fusion’s PIPEDA compliance guide for the register template.
Communication templates: customers, regulators, insurer, media
Pre-written, counsel-reviewed templates separate a measured response from a 1 a.m. drafting session. Each template leaves only the variable fields (date, system, scope, remediation) blank.
Customer notice. Plain language: what happened, what data was involved, what the business is doing, what the customer should do, one contact channel. Counsel signs before send.
Regulator filing. OPC PIPEDA breach form, IPC Ontario PHI report, OSFI E-21 incident notice, Bill C-8 CCCS form, pre-mapped to the severity matrix.
Insurance notice. Broker hotline, policy number, factual summary, request to engage panel counsel and forensics under coverage. Late notice is the most common reason claims are reduced.
Internal updates. Daily staff bulletin and executive briefing. KnowBe4-driven awareness training keeps staff aligned during an event.
Tabletop exercises: how often and what to test
A Canadian SMB should run a tabletop at least twice a year, plus one functional test (live restore from immutable backup) annually. Plans never tested are fiction. Insurance underwriters now ask for the most recent tabletop date on the renewal questionnaire, and a missing answer raises the premium or narrows the ransomware sub-limit.
A working tabletop runs 90 minutes. A facilitator presents a scenario (a Huntress alert showing credential theft, or a SentinelOne Singularity detection on a finance laptop). The team executes the IRP step by step verbally while a scribe captures every gap. Output: a one-page after-action report with three to five corrective actions, each with a named owner and a 14-day deadline.
Functional tests are heavier. Pull a non-production server, simulate compromise, restore from backup, and time it against the documented Recovery Time Objective. The first functional test almost always exposes a backup that has been silently failing for months.
Cyber insurance requirements for IR plans
Most Canadian cyber insurance carriers now require a documented IRP, evidence of a recent tabletop, and proof of immutable backup as underwriting conditions. Carriers may still write a policy without these, but premiums climb and ransomware sub-limits or social-engineering exclusions widen until the coverage is mostly cosmetic.
Underwriters typically check five controls: MFA on email and remote access, EDR or XDR on every endpoint (Microsoft Defender XDR, SentinelOne Singularity, or equivalent), immutable or air-gapped backups tested in the last 12 months, a documented IRP, and a tabletop run in the last 12 months. Pair the plan with Fusion’s cyber insurance coverage checklist before the renewal questionnaire arrives. For broader continuity scope, see best practices for disaster recovery.
“A 2025 client had a 14-page IRP that named every role correctly. When ransomware hit on a Saturday, nobody could log in to read it. The document lived on SharePoint, behind the same Entra ID tenant the attacker was holding. We rebuilt response from a printed copy I had in my truck. Every Fusion-built IRP now ships with a printed binder and a phone-cached PDF. That lesson cost the client three extra days of downtime.”
Common IR plan mistakes Canadian SMBs make
Most failed IRPs fail for five reasons: the plan is inaccessible mid-incident, it has never been tested, the contact list has gone stale, the communication approval chain is undefined, and backups have not been restored from in over a year.
Inaccessible plan. The IRP lives on SharePoint behind the Entra ID tenant under attack. Print copies. Store an offline PDF on a phone or thumb drive.
Never tested. The plan reads cleanly but no one has walked through it. Schedule a tabletop inside 30 days of approval.
Stale contact list. MSP managers changed. Counsel retired. The broker moved firms. Verify quarterly with a one-minute call.
Undefined approval chain. Marketing sends a customer notice before legal has reviewed it. The correction destroys trust. Write the approval matrix into the plan.
Untested backups. Backups appear green for 18 months, then fail when needed. Restore one critical workload every quarter and log the result.
How Fusion Computing builds and tests IR plans
Fusion Computing builds and tests incident response plans for Canadian businesses with 10 to 150 users out of Toronto, Hamilton, and Metro Vancouver. The work is CISSP-led, aligned to NIST SP 800-61 r2 and CIS Controls v8.1, delivered with a printed binder, a phone-cached PDF, and a recorded tabletop.
A typical engagement runs four weeks: discovery and gap assessment against PIPEDA, PHIPA, BC PIPA, OSFI E-21, and Bill C-8; drafting roles, contact list, severity matrix, and templates; integration with Microsoft Sentinel, Microsoft Defender XDR, SentinelOne Singularity, Huntress, and KnowBe4 PhishER; then the tabletop. Across the 47 Canadian SMB engagements through Q1 2026, the average client closed 11 of 13 gap-assessment findings within 60 days of the tabletop.
Frequently asked questions
Does a small business really need a formal incident response plan?
Yes. PIPEDA expects every Canadian organization handling personal information to demonstrate breach detection, response, and notification capability. Most Canadian cyber insurance carriers now require a documented IRP and a recent tabletop as conditions of coverage. A 6-page plan, tested once, outperforms a 60-page plan never opened. The point is rehearsal before pressure forces the decisions.
How often should the IRP be updated?
Update the plan after every tabletop, after every real incident, and on a fixed annual review. Other triggers include staff turnover, a new core system, a carrier change, and regulatory shifts such as Bill C-8 designations. A practical cadence is light updates twice per year and a full review annually, with the owner named in the plan.
What is a tabletop exercise and how is one run?
A tabletop is a facilitated 90-minute walkthrough of a realistic scenario without touching production systems. The facilitator presents the scenario, the team executes the IRP step by step verbally, and a scribe captures every gap. Output is a one-page after-action report with three to five corrective actions, each with a named owner and a 14-day deadline. The first tabletop usually finds 8 to 12 issues.
Does cyber insurance require an incident response plan?
Most Canadian cyber insurance carriers now require a documented IRP, evidence of a recent tabletop, and proof of immutable backup as underwriting conditions. Carriers may still write a policy without these, but premiums climb and ransomware sub-limits widen. Pair the plan with the Fusion cyber insurance coverage checklist before the renewal questionnaire arrives.
What is the difference between an IRP and a business continuity plan?
An IRP covers cybersecurity events: detection, containment, eradication, recovery, notification. A BCP covers any disruption: cyber, fire, flood, power outage, vendor failure. The IRP is a subset of the BCP. For Canadian SMBs that have neither, build the IRP first because cyber events are the most frequent disruption with a hard regulatory notification clock attached.
What does PIPEDA require during a breach?
PIPEDA requires three actions. First, determine whether the breach creates a real risk of significant harm using a sensitivity-times-probability test. Second, if the threshold is met, notify the OPC and affected individuals as soon as feasible. Third, record every incident in an internal breach register retained at least 24 months. Failure to record can itself be the violation.
Who should be on the incident response team?
A Canadian SMB response team typically has four roles plus backups: an incident commander (IT manager or CEO), a technical lead (senior systems person or MSP on-call engineer), a communications lead (COO or marketing director), and a legal and privacy lead (external counsel or fractional DPO). Each role has decision rights written into the plan, with an executive sponsor approving ransom posture and board updates.
What tools support incident response for Canadian SMBs?
The Fusion Computing stack uses Microsoft Sentinel for SIEM, Microsoft Defender XDR or SentinelOne Singularity for endpoint telemetry, Huntress for managed-threat hunting, and KnowBe4 PhishER for phishing-detection routing. Products matter less than operational discipline: every tool feeds a single evidence trail that survives an OPC investigation or an insurance claim.
How fast must a Canadian SMB notify the OPC under PIPEDA?
PIPEDA uses the standard “as soon as feasible” rather than a fixed clock, but the OPC has signalled that delays measured in days require justification. A practical IRP target is 72 hours from RROSH determination to OPC filing, mirroring Quebec Law 25 and most cyber insurance notice clauses, with the internal breach register updated the same day.
Does your Canadian business have a tested incident response plan?
Book an IT business assessment. A CISSP-led Fusion Computing engineer will map gaps against NIST SP 800-61 r2, PIPEDA, and Bill C-8, and outline the IRP your insurance carrier and the OPC expect.
