top of page
Search

The First 72 Hours After a Cyber Attack in the Philippines: What the C-Suite Must Do

  • Writer: Richard Dalaygon
    Richard Dalaygon
  • Jul 3
  • 2 min read

When a cyber attack hits your company, the first 72 hours are critical. For Filipino executives, those three days can define whether your organization recovers—or descends into operational chaos, legal exposure, and reputational damage.


Yet most board members, CEOs, and COOs in the Philippines haven’t rehearsed what to do. Many assume the IT or compliance team will take charge. But in reality, regulatory disclosures, public relations, insurance claims, and business continuity fall squarely under executive oversight.


Here is a breakdown of what the C-suite must do when the worst happens.


Hour 0 to 24: Containment and Communication

1. Activate Your Incident Response Plan (IRP)

If you don’t have one, that’s a governance gap. Your IRP should specify:

  • Who leads the response (CISO/DPO/IR team).

  • Which systems to isolate.

  • When to shut down or segment networks.

  • Contact lists for regulators, legal counsel, and third-party vendors.


2. Notify Key Internal Stakeholders

Immediately brief:

  • The executive team.

  • Board members.

  • Legal counsel.

  • Risk/insurance teams.


This is not the time for silos. Coordination avoids duplication and misinformation.


3. Engage Your Cybersecurity Partner

If you work with a Managed Security Service Provider (MSSP) or retainers for incident response, this is the moment to activate them.


4. Begin Drafting Public & Regulatory Messaging

Depending on the nature of the breach, you may need to notify:

  • The National Privacy Commission (NPC) within 72 hours if personal data was exposed.

  • Clients, especially if SLAs include breach notification.

  • The BSP or SEC, if you're in banking or listed.


Begin internal drafts immediately. Don’t wait for complete forensic confirmation to prepare your language.


Hour 24 to 48: Investigation and Disclosure

5. Launch Internal and Forensic Investigation

  • Determine scope and impact.

  • Identify affected data sets or systems.

  • Gather logs, preserve evidence.

  • Understand attacker behavior (e.g., ransomware, data exfiltration).


6. Notify the NPC (if applicable)

Under Philippine law, companies must notify the NPC of data breaches within 72 hours if:

  • Sensitive personal information was involved.

  • There is risk of harm or identity theft.


Incomplete information is acceptable—submit updates as facts emerge.


7. Inform Law Enforcement or Intelligence Agencies

Depending on the scale and nature of the attack, engage:

  • PNP-ACG (Anti-Cybercrime Group)

  • DICT

  • National Security Council, if critical infrastructure is involved


Hour 48 to 72: Decision and Recovery

8. Make Key Executive Decisions

  • Will you pay a ransom? (Legal and ethical issues apply.)

  • Can affected systems be restored from backup?

  • Should operations go offline temporarily?


This is where business impact and risk tolerance converge. The C-suite must lead.

9. Coordinate External Communications

  • Prepare media statements.

  • Brief key clients and partners.

  • Preempt leaks with transparent but controlled messaging.


Your reputation is on the line—own the narrative.


10. Start Recovery and Hardening

  • Patch vulnerabilities.

  • Reset credentials.

  • Monitor for secondary attacks.

  • Begin a security post-mortem.


Final Thought: The Worst Time to Plan Is During a Crisis

If you’re a Filipino executive and don’t know your organization's first 10 steps post-breach, you’re already behind. Treat this like fire safety: Have a plan. Drill it. Review it.


At VEKTOR, we run real-world tabletop exercises and breach simulations with executive teams. We help you turn confusion into clarity before it’s too late.

Want to rehearse your first 72 hours? Let’s talk.


 
 
 

Comments

bottom of page