Cyber Incident Responder

About The Position

Requirements

• A minimum of two years working in the cybersecurity field, ideally with hands ‑ on involvement in incident handling or response activities.
• Strong foundational knowledge of cyber ‑ attack methods, threat behaviors, and the end ‑ to ‑ end lifecycle of incident response.
• Demonstrate ability to solve complex problems and make sound judgements quickly, especially when operating in high pressure or fastmoving situations. ‑pressure or fast‑moving situations.
• Excellent organisational habits with a focus on accuracy and thoroughness in all tasks.
• Clear and confident communication skills—both written and verbal—with the capability to explain technical issues in an accessible way for non-technical audiences. ‑technical audiences.
• Basic data skills to partner with Analytics (e.g., Excel/Power BI; familiarity with SQL/Python advantageous).
• High empathy, composure under pressure, and a service mindset.

Responsibilities

• Own the incident from notification to closure
• Be the first point of contact for policyholder incident notifications.
• Rapidly triage, assess severity, and set the response plan and cadence.
• Orchestrate specialist vendors (IR firms, forensics, legal, PR, ransom advisors), ensuring right‑sized support at the right time.
• Maintain clear timelines, decisions, and next steps
• Deliver best in class customer service‑in‑class customer service
• Provide calm, empathetic guidance under pressure; translate technical issues into clear business impact and options.
• Set and manage expectations on milestones (containment, restoration, notifications) and costs.
• Conduct welcome/onboarding calls; explain how to notify, what to expect, and how the IR panel operates.
• Capture and act on policyholder feedback to continuously improve service.
• Hit internal SLAs (acknowledgement, triage, vendor mobilization, comms cadence).
• Operate within a global, 24/7 team model
• Participate in rota/on call coverage to ensure true follow the sun response. ‑call coverage to ensure true follow‑the‑sun response.
• Perform structured handovers across regions; maintain accurate case notes and status.
• Evolve the service offering
• Contribute to playbook/runbook enhancements and decision trees (e.g., ransomware, BEC, DDoS, data exfil).
• Recommend panel/vendor improvements and measure vendor SLAs and outcomes.
• Support content development (guides, FAQs, tabletop scenarios).
• Collaborate with Claims, Underwriting and Insights & Analytics
• Partner with the Claims team to ensure smooth coverage confirmation and claim handling.
• Surface material facts, costs, and causation signals; ensure incident files are complete and timely.
• Escalate complex matters promptly and appropriately.
• Sit “at the coal face” of live incidents and distil timely, high-quality insights (threat vectors, controls efficacy, vendor performance, and industry signals). ‑quality insights (threat vectors, controls efficacy, vendor performance,
• Provide structured post incident summaries and trend themes for underwriters and leadership. ‑incident summaries and trend themes for underwriters and leadership.
• Ensure precise, consistent capture of incident metadata and outcomes (e.g., root cause, initial access, controls in place, dwell time, MTTA/MTTR, costs).
• Champion data quality standards; work with Analytics to refine taxonomies and dashboards.
• Collaborate in delivery of incident preparedness sessions, tabletops, and executive simulations for insureds. ‑deliver incident preparedness sessions, tabletops, and executive simulations for insureds.
• Feed real world lessons learned into control uplift recommendations. ‑world lessons learned into control uplift recommendations.