A cyber incident used to be an IT problem with a legal aftermath. It is now a legal event with an IT component. Regulators expect timely notification. Insurers expect documented investigation. Claimants expect to be told what was taken. None of that is possible without forensic evidence handled to a legal standard from the outset.
What changes when forensics is done properly
- Notification to the Information Commissioner can be made accurately and on time.
- Insurance recovery is materially more likely, because carriers require investigative evidence.
- Litigation risk falls, because the organisation can show what happened and what it did about it.
- Any subsequent prosecution or civil claim has evidence a court can rely on.
What goes wrong when it is not
The typical failure pattern is fast remediation and no preservation. Systems are rebuilt, logs roll over, and by the time a lawyer is instructed there is nothing left to examine. The organisation is then in the position of having to negotiate with regulators, insurers and claimants without a defensible account of what happened.

