Council Cyber Incident Response Guide: What to Do When Your Council is Attacked
When a ransomware attack hits, councils have hours — not days — to make decisions that will determine whether the incident becomes a contained disruption or a multi-year catastrophe. The councils that recovered fastest from major cyber incidents had one thing in common: a tested incident response plan that told everyone exactly what to do, in what order, from the moment an incident was detected.
Councils with tested incident response plans contain cyber attacks significantly faster and at lower cost than those relying on improvised responses.
Immediate Response: The First 4 Hours
When a significant cyber incident is detected:
- Isolate affected systems — disconnect from the network immediately to prevent further spread
- Activate your incident response team — notify IT lead, SIRO, Chief Executive, and legal team
- Contact NCSC — call 0300 020 0973 for guidance and support
- Notify your cyber insurer — most policies require prompt notification
- Preserve evidence — do not wipe systems before forensic capture
- Establish alternative communications — assume council email may be compromised
Regulatory Notification Requirements
Councils must meet notification deadlines: ICO must be notified within 72 hours if personal data has been affected and there is a risk to individuals. Individuals must be notified directly if the breach poses a high risk to them. Under NIS Regulations, OES-designated councils must notify the relevant competent authority of significant incidents. Document all notifications and their timing carefully.
Recovery Phases
Council recovery typically proceeds through phases: containment (isolating affected systems), eradication (removing malware and attacker access), recovery (restoring systems from clean backups), and review (learning from the incident). Prioritise restoration of essential public services — waste collection schedules, housing emergency lines, and benefit payment systems.
Frequently Asked Questions
Who should lead the council's incident response?
The SIRO (Senior Information Risk Owner) or equivalent executive should lead the organisational response, with the IT/ICT team leading the technical response. The council's legal team must be involved from the start. Consider appointing an external incident response firm — your cyber insurer can usually recommend one — to lead the technical investigation.
Test your council's incident response capability
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.