Incident Escalation Criteria Dataset In The United Kingdom
Escalation trigger | Escalation threshold | Escalation destination | Record keeping notes |
|---|---|---|---|
Legal or regulatory, Reputational, Customer or client impact | |||
Suspected personal data breach | Any loss, alteration, unauthorised disclosure of, or access to personal data. | Incident manager Senior management External adviser | Breach log, facts, risk assessment, decision on ICO notification, affected data categories. |
Legal or regulatory | |||
ICO notification deadline risk | Personal data breach may be notifiable and 72-hour clock may have started. | Senior management External adviser | Time discovered, notification assessment, reasons for delay, ICO submission draft. |
Legal or regulatory, Customer or client impact, Reputational | |||
High risk to individuals | Incident may cause identity theft, fraud, distress, discrimination, or financial loss. | Senior management External adviser | Data subject risk assessment, communication plan, notification copies, mitigation steps. |
Special category data exposure | Health, biometric, ethnic origin, political, religious, sexual orientation, or union data affected. | Senior management External adviser | Affected categories, volume, containment evidence, legal basis review, notifications. |
Criminal offence data exposure | Criminal convictions, offences, allegations, or related security measures are affected. | Senior management External adviser | Affected records, safeguards, lawful basis, access logs, notification assessment. |
Children or vulnerable individuals affected | Incident affects children, safeguarding data, care records, or vulnerable customers. | Senior management External adviser | Safeguarding assessment, affected cohorts, communications approvals, support measures. |
Legal or regulatory, Reputational, Customer or client impact, Operational | |||
Large-scale personal data breach | Breach affects many individuals, multiple systems, or business-critical datasets. | Board or executive committee External adviser | Population estimate, systems affected, timeline, command decisions, regulator updates. |
Operational, Financial, Legal or regulatory, Reputational | |||
Ransomware or extortion demand | Malware encrypts systems, steals data, or demands payment. | Board or executive committee External adviser | Ransom note, indicators of compromise, backups status, legal advice, insurer notice. |
Operational, Legal or regulatory, Reputational, Financial | |||
Active cyber intrusion | Confirmed unauthorised access, privilege escalation, lateral movement, or persistence. | Incident manager Senior management External adviser | SIEM alerts, forensic images, access logs, containment actions, analyst notes. |
Operational, Legal or regulatory, Reputational | |||
Suspected nation-state activity | Indicators match advanced persistent threat tradecraft or national security concern. | Board or executive committee External adviser | Threat intelligence, IOCs, forensic timeline, NCSC contact record, legal notes. |
Operational, Financial, Customer or client impact | |||
Critical system outage | Core service unavailable beyond agreed RTO or affecting critical processes. | Incident manager Senior management | Start time, service status, RTO breach, workarounds, recovery actions. |
Customer or client impact, Operational, Reputational, Financial | |||
Customer-facing service outage | External users cannot access products, accounts, support, or paid services. | Incident manager Senior management | Affected users, duration, status page updates, customer messages, SLA impact. |
Customer or client impact, Reputational, Financial | |||
Major customer impact | Incident affects key accounts, vulnerable customers, essential services, or high volumes. | Senior management | Customer list, impact analysis, account owner updates, compensation decisions. |
Customer or client impact, Legal or regulatory, Reputational | |||
Vulnerable customer harm risk | Incident may cause worse outcomes for customers in vulnerable circumstances. | Senior management | Customer vulnerability assessment, remediation, communications, support arrangements. |
Legal or regulatory, Operational, Reputational, Customer or client impact | |||
FCA material incident risk | FCA-regulated firm faces significant operational, cyber, conduct, or customer impact. | Senior management External adviser | Materiality assessment, compliance advice, FCA notification draft, board updates. |
Legal or regulatory, Operational, Customer or client impact, Financial | |||
PRA-regulated service disruption | Important business service may exceed impact tolerance or threaten safety and soundness. | Board or executive committee External adviser | Impact tolerance assessment, mapping evidence, regulator communications, decisions. |
Operational, Legal or regulatory, Customer or client impact | |||
Impact tolerance breach | Disruption approaches or exceeds maximum tolerable duration, volume, or harm metric. | Senior management Board or executive committee | Tolerance metric, breach time, harm assessment, lessons learned, remediation plan. |
Legal or regulatory, Operational, Financial, Customer or client impact | |||
Major payment services incident | Incident materially affects payment services security, continuity, integrity, or availability. | Senior management External adviser | FCA incident form data, customer impact, transaction volumes, root cause. |
E-money service incident | E-money issuance, redemption, safeguarding, or account access is materially affected. | Senior management External adviser | Customer balances affected, safeguarding impact, regulator notice, communications. |
Financial, Operational, Reputational | |||
Material financial loss | Actual or expected loss exceeds internal materiality or insurance deductible threshold. | Senior management | Loss estimate, assumptions, approvals, insurance notice, recovery actions. |
Financial, Legal or regulatory, Reputational | |||
Suspected fraud | Dishonest activity, payment diversion, false invoicing, or internal fraud suspected. | Senior management External adviser | Transaction records, access logs, evidence preservation, Action Fraud reference. |
Legal or regulatory, Financial, Reputational | |||
Bribery or corruption concern | Improper payment, inducement, facilitation payment, kickback, or hospitality abuse suspected. | Senior management Board or executive committee External adviser | Allegation, evidence, persons involved, investigation plan, legal advice. |
Money laundering suspicion | Knowledge or suspicion of money laundering or terrorist financing arises. | Senior management External adviser | MLRO referral, SAR decision, consent request, transaction evidence, tipping-off controls. |
Sanctions match or breach | Potential designated person match, frozen asset, prohibited dealing, or reportable breach. | Senior management External adviser | Screening result, match rationale, asset freeze steps, OFSI report, legal advice. |
Market abuse or inside information | Incident may involve inside information, unlawful disclosure, manipulation, or suspicious orders. | Board or executive committee External adviser | Inside information assessment, insider list, disclosure decision, FCA communications. |
Market disclosure risk | Incident may materially affect share price or require market announcement. | Board or executive committee External adviser | Materiality analysis, announcement drafts, sponsor advice, board minutes. |
Legal or regulatory, Operational, Reputational | |||
Serious health and safety incident | Death, specified injury, dangerous occurrence, or serious work-related ill health. | Senior management External adviser | Accident report, witness statements, RIDDOR submission, photos, corrective actions. |
Legal or regulatory, Reputational, Operational | |||
Fatality or life-threatening incident | Work-related death or life-threatening event may involve management failure. | Board or executive committee External adviser | Scene preservation, police or HSE contact, legal privilege plan, board minutes. |
Legal or regulatory, Reputational, Operational, Financial | |||
Environmental incident | Pollution, spill, waste breach, habitat damage, or permit breach suspected. | Senior management External adviser | Location, photos, spill logs, regulator contacts, remediation evidence. |
Legal or regulatory, Reputational, Operational | |||
Whistleblowing disclosure | Worker reports wrongdoing, legal breach, danger, concealment, or public interest concern. | Senior management External adviser | Disclosure record, confidentiality steps, investigation plan, retaliation safeguards. |
Discrimination or harassment allegation | Allegation involves protected characteristic, senior employee, systemic issue, or victimisation. | Senior management External adviser | Complaint, witness notes, HR records, interim measures, investigation outcome. |
Legal or regulatory, Customer or client impact, Reputational | |||
Safeguarding concern | Concern involves abuse, neglect, exploitation, or risk to a child or adult at risk. | Senior management External adviser | Concern form, referral record, decision rationale, confidentiality controls. |
Supplier or third-party impact, Operational, Customer or client impact, Financial | |||
Critical supplier failure | Supplier outage threatens critical process, customer service, data, or contractual duties. | Incident manager Senior management | Supplier notices, SLA data, dependency map, alternative arrangements, credits. |
Supplier or third-party impact, Operational, Customer or client impact | |||
Cloud provider outage | Hosted services, data availability, backups, or security controls are materially affected. | Incident manager Senior management | Provider status updates, ticket IDs, affected services, failover decisions. |
Supplier or third-party impact, Legal or regulatory, Customer or client impact, Reputational | |||
Third-party data breach | Processor, supplier, or partner reports breach involving organisation data. | Incident manager Senior management External adviser | Supplier notice, DPA terms, breach details, controller decisions, notifications. |
Supplier or third-party impact, Legal or regulatory | |||
Processor delayed breach notice | Processor delay may compromise controller 72-hour assessment or notification duties. | Senior management External adviser | Notice time, supplier explanations, missing facts, escalation emails, contract review. |
Legal or regulatory, Financial, Customer or client impact, Supplier or third-party impact | |||
Contract notification deadline | Contract requires customer, supplier, lender, insurer, or partner notice within set time. | Senior management External adviser | Relevant clauses, deadline tracker, notices sent, approvals, acknowledgements. |
Financial, Legal or regulatory | |||
Insurance notification risk | Incident may trigger cyber, liability, crime, D&O, property, or business interruption cover. | Senior management External adviser | Policy terms, notice time, broker correspondence, consent to incur costs. |
Reputational, Customer or client impact, Financial | |||
Media or public attention | Journalist enquiry, viral post, public complaint, or likely press coverage arises. | Senior management Board or executive committee External adviser | Media enquiries, holding statements, approvals, monitoring screenshots, Q&A. |
Reputational, Customer or client impact | |||
Viral social media complaint | Complaint gains significant reach or alleges legal, safety, bias, or misconduct issue. | Incident manager Senior management | Screenshots, URLs, engagement metrics, response approvals, customer contact log. |
Legal or regulatory, Reputational, Operational | |||
Senior executive implicated | Director, senior manager, SMF holder, or key person is involved or conflicted. | Board or executive committee External adviser | Conflict assessment, governance minutes, independent investigation mandate, advice records. |
Operational, Financial, Legal or regulatory, Reputational | |||
Risk appetite breach | Incident exceeds board-approved risk appetite, tolerance, or key risk indicator threshold. | Board or executive committee | KRI breach, risk appetite metric, management response, board decision. |
Operational, Customer or client impact, Financial | |||
Business continuity activation | Normal operations cannot continue without BCP, alternate site, manual workaround, or crisis team. | Incident manager Senior management | BCP activation time, decision maker, workarounds, staff communications, recovery status. |
Operational, Financial, Customer or client impact | |||
Disaster recovery activation | Production environment cannot be restored within RTO without DR plan execution. | Incident manager Senior management | DR decision, RTO/RPO status, failover steps, validation results, rollback plan. |
Backup or recovery failure | Backups unavailable, corrupted, encrypted, untested, or unable to meet RPO. | Incident manager Senior management | Backup logs, restore tests, RPO gap, data loss estimate, remediation. |
Operational, Legal or regulatory | |||
Security logging failure | Critical logs are missing, tampered with, unavailable, or retention compromised. | Incident manager | Logging gap, affected systems, preservation steps, compensating evidence, remediation. |
Operational, Legal or regulatory, Reputational | |||
Privileged account compromise | Admin, root, domain, finance, HR, or production credentials are compromised. | Incident manager Senior management | Account actions, access timeline, reset evidence, scope assessment, forensic notes. |
Financial, Legal or regulatory, Reputational | |||
Unauthorised payment or transfer | Payment sent to wrong, fraudulent, unauthorised, or altered bank details. | Senior management External adviser | Payment details, bank contacts, recall attempts, fraud report, approvals. |
Operational, Financial, Legal or regulatory, Reputational | |||
Business email compromise | Email account compromise leads to invoice fraud, data exposure, or malicious messages. | Incident manager Senior management | Mailbox logs, forwarding rules, sent items, payment impact, containment steps. |
Operational, Legal or regulatory, Financial | |||
Phishing campaign affecting staff | Multiple staff targeted or credentials entered, malware opened, or supplier spoofed. | Team lead Incident manager | Email headers, recipient list, clicked users, blocked domains, awareness notice. |
Operational, Financial, Reputational | |||
Malware outbreak | Malware spreads beyond one endpoint or affects servers, backups, or credentials. | Incident manager Senior management | Affected hosts, malware hashes, EDR alerts, isolation times, eradication evidence. |
Operational, Customer or client impact, Reputational, Financial | |||
Denial-of-service attack | Traffic attack degrades or prevents access to customer-facing or critical systems. | Incident manager Senior management | Traffic metrics, provider tickets, mitigation steps, downtime, customer notices. |
Operational, Legal or regulatory, Customer or client impact | |||
Unauthorised production change | Unapproved code, configuration, infrastructure, or database change affects production. | Incident manager | Change record, commit history, approvers, rollback evidence, impact assessment. |
Operational, Customer or client impact, Financial | |||
Severe release defect | Release causes critical defect, data corruption, payment error, or service outage. | Incident manager Senior management | Release notes, defect scope, rollback decision, customer impact, RCA. |
Operational, Customer or client impact, Legal or regulatory, Financial | |||
Data corruption or integrity issue | Records are inaccurate, corrupted, duplicated, deleted, or cannot be trusted. | Incident manager Senior management | Affected datasets, correction plan, audit trail, validation results, customer impact. |
Operational, Legal or regulatory, Customer or client impact | |||
Accidental data deletion | Deletion affects regulated records, customer data, backups, or critical operations. | Incident manager | Deleted records, cause, restoration evidence, retention impact, breach assessment. |
Legal or regulatory, Operational | |||
Records retention failure | Required business, legal, audit, tax, employment, or regulated records are lost. | Senior management External adviser | Record class, retention requirement, loss cause, recovery attempts, legal assessment. |
Legal or regulatory, Financial, Operational | |||
Tax reporting disruption | Incident may affect VAT, PAYE, corporation tax, customs, or statutory filing accuracy. | Senior management External adviser | Affected filings, deadlines, estimates, HMRC correspondence, correction evidence. |
Legal or regulatory, Financial, Reputational | |||
Statutory filing disruption | Incident may prevent accurate or timely Companies House accounts or confirmation filing. | Senior management External adviser | Deadline, affected filings, extension efforts, board approvals, submission evidence. |
Financial, Legal or regulatory, Reputational | |||
Solvency or going concern risk | Incident threatens liquidity, covenant compliance, payroll, solvency, or going concern status. | Board or executive committee External adviser | Cash forecasts, creditor impact, board minutes, insolvency advice, mitigation plan. |
Operational, Financial, Customer or client impact | |||
Premises unavailable | Office, warehouse, plant, branch, or data centre cannot be safely accessed. | Incident manager Senior management | Access restrictions, safety checks, landlord notices, alternative site plan, photos. |
Operational, Customer or client impact, Supplier or third-party impact | |||
Utilities or telecoms outage | Power, internet, telephony, water, or heating outage affects critical operations. | Incident manager | Provider status, fault references, affected sites, continuity measures, restoration time. |
Operational, Customer or client impact | |||
Critical staff unavailability | Absence, strike, illness, travel disruption, or key-person loss affects essential functions. | Team lead Incident manager | Staffing levels, functions affected, rota changes, HR advice, continuity actions. |
Operational, Customer or client impact, Reputational | |||
Industrial action disruption | Strike, picketing, or work-to-rule may disrupt critical services or safety. | Senior management External adviser | Union notices, contingency plan, customer impact, legal advice, communications. |
Legal or regulatory, Customer or client impact, Reputational, Financial | |||
Product safety issue | Product may be unsafe, defective, non-compliant, or require recall or warning. | Senior management Board or executive committee External adviser | Batch data, complaints, risk assessment, regulator contact, recall decision. |
Food safety incident | Food may be unsafe, contaminated, mislabelled, allergen-risk, or require recall. | Senior management External adviser | Batch traceability, risk assessment, FSA notification, recall notices, customer complaints. |
Consumer rights breach | Incident may involve unfair terms, misleading practices, refunds, cancellation, or defective goods. | Senior management External adviser | Customer complaints, terms, sales materials, refund decisions, legal assessment. |
Legal or regulatory, Reputational, Customer or client impact | |||
Misleading advertising complaint | Complaint alleges misleading, harmful, offensive, irresponsible, or non-compliant advertising. | Senior management External adviser | Ad copy, substantiation, complaints, ASA correspondence, takedown decision. |
Legal or regulatory, Financial, Reputational | |||
Competition law concern | Price fixing, market sharing, bid rigging, resale pricing, or abuse concern arises. | Board or executive committee External adviser | Evidence preservation, dawn raid readiness, legal advice, CMA contact record. |
Intellectual property infringement | Incident involves unauthorised use, disclosure, copying, or loss of valuable IP. | Senior management External adviser | IP asset, evidence, access logs, takedown notices, legal advice. |
Legal or regulatory, Financial, Reputational, Customer or client impact | |||
Confidential information leak | Trade secrets, pricing, bids, strategy, source code, or client confidential data leaked. | Senior management External adviser | Leaked material, recipients, NDAs, containment steps, takedown actions. |
Legal or regulatory, Reputational, Financial | |||
Legal privilege risk | Investigation may involve litigation, regulator enforcement, criminal liability, or sensitive advice. | External adviser Senior management | Privilege protocol, counsel instructions, document labels, distribution limits. |
Legal or regulatory, Financial, Reputational | |||
Threatened litigation or claim | Letter before claim, injunction threat, group claim, or material dispute arises. | Senior management External adviser | Claim correspondence, evidence hold, chronology, insurance notice, legal advice. |
Legal or regulatory, Reputational, Operational | |||
Law enforcement enquiry | Police, NCA, SFO, HMRC, or other authority requests information or attends site. | Senior management External adviser | Officer details, warrant or request, documents provided, legal advice, chain of custody. |
Legal or regulatory, Reputational, Financial | |||
Regulator enquiry or investigation | Regulator requests information, opens investigation, threatens enforcement, or visits premises. | Board or executive committee External adviser | Request, deadlines, responses, document hold, regulator communications, advice. |
Legal or regulatory, Reputational, Operational | |||
Search warrant or dawn raid | Authority arrives with warrant, inspection powers, or document seizure request. | Board or executive committee External adviser | Warrant copy, officials list, documents seized, objections, legal attendance notes. |
Legal or regulatory, Reputational, Supplier or third-party impact | |||
Modern slavery concern | Forced labour, exploitation, trafficking, or supply-chain abuse suspected. | Senior management Board or executive committee External adviser | Supplier details, worker safety steps, investigation, reports, remediation plan. |
Supplier or third-party impact, Reputational, Legal or regulatory | |||
Supplier ethical breach | Supplier breach involves labour abuse, sanctions, bribery, safety, environment, or fraud. | Senior management | Supplier evidence, contract rights, audit results, suspension decision, remediation. |
Supplier or third-party impact, Operational, Financial, Customer or client impact | |||
Key supplier insolvency | Critical supplier enters administration, liquidation, distress, or threatens service cessation. | Senior management External adviser | Supplier notices, continuity plan, replacement options, contract rights, risk assessment. |
Financial, Customer or client impact, Operational | |||
Major customer insolvency | Customer default may cause material bad debt, service risk, or contractual exposure. | Senior management | Exposure amount, credit notes, contract rights, communications, impairment assessment. |
Financial, Legal or regulatory, Reputational | |||
Financing covenant breach | Incident may breach loan covenant, facility agreement, security, or reporting undertaking. | Board or executive committee External adviser | Covenant calculation, lender notice, waiver request, board approvals, advice. |
Audit qualification risk | Incident may affect financial statements, controls, evidence, going concern, or audit opinion. | Senior management Board or executive committee External adviser | Auditor correspondence, accounting impact, control failure, board papers, remediation. |
Operational, Financial, Reputational | |||
Payroll failure | Staff pay, pensions, PAYE, benefits, or statutory payments may be late or wrong. | Senior management | Affected employees, payment files, corrections, staff communications, HMRC impact. |
Legal or regulatory, Financial, Reputational | |||
Pension contribution failure | Auto-enrolment, contribution, scheme payment, or member data issue arises. | Senior management External adviser | Affected members, missed payments, trustee or provider notices, rectification. |
Legal or regulatory, Customer or client impact, Reputational | |||
Accessibility failure | Digital service excludes disabled users or creates legal, service, or complaint risk. | Senior management | Accessibility findings, complaints, affected journeys, fixes, equality assessment. |
Operational, Legal or regulatory, Customer or client impact, Reputational | |||
AI output or model failure | AI system produces harmful, biased, confidential, unsafe, or materially wrong output. | Incident manager Senior management External adviser | Prompt, output, model version, user impact, mitigation, review decision. |
Legal or regulatory, Customer or client impact, Reputational | |||
Automated decision challenge | Person challenges automated decision with legal, significant, unfair, or discriminatory effect. | Senior management External adviser | Decision logic, human review, DPIA, complaint, outcome communication. |
Legal or regulatory, Customer or client impact | |||
High-risk processing change | Incident response requires high-risk new processing, monitoring, profiling, or data sharing. | Senior management External adviser | DPIA, necessity assessment, residual risk, DPO advice, consultation decision. |
Legal or regulatory, Supplier or third-party impact | |||
International data transfer issue | Incident involves transfer to non-UK country without clear safeguard or assessment. | Senior management External adviser | Transfer map, safeguards, TRA, contracts, importer communications, remedial actions. |
Legal or regulatory, Customer or client impact, Reputational | |||
Data subject rights deadline risk | Incident prevents timely response to DSAR, erasure, rectification, objection, or portability request. | Team lead Incident manager | Request log, deadline, search status, extension rationale, response copy. |
Legal or regulatory, Reputational, Customer or client impact | |||
ICO complaint or enquiry | ICO contacts organisation or individual complains to ICO about data handling. | Senior management External adviser | ICO correspondence, complaint file, response deadlines, evidence, remedial actions. |
Legal or regulatory, Operational, Customer or client impact | |||
NIS reportable incident risk | Essential or relevant digital service incident may substantially affect service continuity. | Senior management External adviser | Service impact, users affected, duration, competent authority notice, NCSC contact. |
Telecoms security incident | Provider network or service security, availability, or resilience materially affected. | Senior management External adviser | Network impact, customer numbers, Ofcom notice, technical reports, remediation. |
Legal or regulatory, Customer or client impact, Operational, Reputational | |||
Clinical service or patient data incident | Incident affects patient safety, care continuity, NHS data, or clinical records. | Senior management External adviser | Patient safety assessment, records affected, NHS reporting, clinical mitigation. |
Legal or regulatory, Financial, Reputational, Customer or client impact | |||
Charity serious incident | Charity faces significant loss, harm, safeguarding, fraud, reputation, or governance issue. | Board or executive committee External adviser | Trustee decision, Charity Commission report, incident facts, mitigation, follow-up. |
Legal or regulatory, Customer or client impact, Reputational | |||
Education safeguarding or pupil data incident | Incident affects pupils, safeguarding records, exam integrity, or school duties. | Senior management External adviser | DSL record, parent communications, local authority contact, ICO assessment. |
Customer or client impact, Reputational, Operational | |||
Complaint volume spike | Complaints exceed normal volume or indicate systemic customer harm. | Incident manager Senior management | Complaint themes, volumes, root cause, response scripts, remediation tracking. |
Operational, Customer or client impact, Financial | |||
Incident unresolved beyond SLA | Incident remains unresolved beyond internal SLA or customer contractual target. | Team lead Incident manager | SLA timer, blockers, owner changes, customer updates, escalation decision. |
Operational, Customer or client impact, Reputational | |||
Repeated incident recurrence | Same root cause, control failure, or customer impact recurs within defined period. | Incident manager Senior management | Prior incidents, RCA comparison, control actions, ownership, recurrence metrics. |
Operational, Legal or regulatory, Financial, Reputational, Customer or client impact, Supplier or third-party impact | |||
Severity cannot be assessed | Facts are insufficient but worst-case impact could be material or time-critical. | Incident manager | Known facts, assumptions, information gaps, next review time, decision rationale. |
Operational, Financial, Customer or client impact | |||
Resource conflict or decision deadlock | Teams disagree on containment, restoration, customer messaging, cost, or risk trade-off. | Senior management | Options, risks, dissenting views, decision owner, approvals, follow-up actions. |
Reputational, Legal or regulatory, Customer or client impact | |||
External communications required | Customer, regulator, investor, media, staff, or public statement is needed. | Senior management External adviser | Drafts, approvals, distribution list, publication time, Q&A, legal sign-off. |
Financial, Customer or client impact, Reputational | |||
Customer compensation decision | Incident may require refunds, credits, redress, goodwill payments, or remediation scheme. | Senior management | Eligibility criteria, calculations, approvals, customer communications, payment records. |
Customer or client impact, Reputational, Legal or regulatory | |||
Mass customer notification | Large customer group must be warned, updated, migrated, refunded, or supported. | Senior management | Recipient list, message versions, send times, bounce reports, contact centre scripts. |
Customer or client impact, Operational, Reputational | |||
Support channel overload | Contact centre, email, chat, or complaints queues exceed crisis thresholds. | Incident manager Senior management | Queue metrics, staffing actions, scripts, escalation routes, service levels. |
Legal or regulatory, Reputational, Operational | |||
Employee data exposure | Payroll, HR, disciplinary, health, absence, or monitoring data is exposed. | Incident manager Senior management External adviser | Affected employees, data types, union or HR communications, ICO assessment. |
Legal or regulatory, Customer or client impact, Reputational | |||
CCTV or monitoring incident | CCTV, call recording, device monitoring, or tracking is misused or compromised. | Incident manager Senior management | Footage affected, access logs, policy review, privacy notice, complaint records. |
Operational, Legal or regulatory, Reputational, Financial | |||
Physical security breach | Unauthorised access, theft, tampering, lost keys, badge misuse, or secure area breach. | Incident manager Senior management | Access records, CCTV, asset list, police report, lock or badge changes. |
Legal or regulatory, Operational, Reputational | |||
Lost or stolen device | Device contains business data, credentials, personal data, or privileged access. | Team lead Incident manager | Device ID, encryption status, remote wipe, data assessment, police report. |
Legal or regulatory, Reputational, Operational | |||
Lost removable media | USB, hard drive, paper file, backup tape, or archive containing sensitive data lost. | Incident manager | Media inventory, encryption, contents, last custody, search actions, breach assessment. |
Legal or regulatory, Reputational, Customer or client impact | |||
Paper records breach | Paper files are misdirected, lost, stolen, viewed, or disposed of insecurely. | Team lead Incident manager | File details, recipients, retrieval efforts, disposal evidence, risk assessment. |
Legal or regulatory, Customer or client impact, Reputational | |||
Misdirected email or message | Sensitive, personal, confidential, or regulated information sent to wrong recipient. | Team lead Incident manager | Message copy, recipients, recall attempt, deletion confirmation, breach assessment. |
Legal or regulatory, Customer or client impact, Reputational, Supplier or third-party impact | |||
Unauthorised data sharing | Data shared without authority, lawful basis, agreement, transparency, or required safeguards. | Incident manager Senior management External adviser | Data shared, recipients, lawful basis review, DSA status, containment. |
Legal or regulatory, Customer or client impact, Reputational | |||
Consent or marketing breach | Marketing sent without valid consent, opt-out, soft opt-in, or preference compliance. | Incident manager Senior management | Campaign list, consent records, suppression list, complaint data, remedial action. |
Legal or regulatory, Reputational, Customer or client impact | |||
Cookie or tracking breach | Non-essential cookies, pixels, or trackers deployed without valid consent or transparency. | Incident manager Senior management | Cookie scan, CMP logs, consent records, vendor list, remediation evidence. |
Reputational, Operational, Legal or regulatory | |||
Website defacement | Public website displays unauthorised, malicious, false, offensive, or harmful content. | Incident manager Senior management | Screenshots, logs, change history, takedown time, customer or media impact. |
Operational, Reputational, Customer or client impact, Financial | |||
Domain or DNS compromise | Domain, DNS, registrar, MX, SPF, DKIM, or hosting control is altered or hijacked. | Incident manager Senior management External adviser | DNS records, registrar tickets, change logs, restoration steps, abuse reports. |
Operational, Legal or regulatory, Reputational | |||
Certificate or key compromise | TLS certificate, signing key, API key, encryption key, or secret is exposed. | Incident manager | Key identifier, exposure source, rotation evidence, revocation, dependent systems. |
Exploited critical vulnerability | Known critical vulnerability is exploited or exposed on internet-facing system. | Incident manager Senior management | CVE, exposure window, patch status, exploit evidence, affected assets. |
Operational, Legal or regulatory | |||
Unpatched critical vulnerability | Critical vulnerability cannot be patched or mitigated within risk-based deadline. | Team lead Incident manager | Asset list, CVSS or threat rating, exceptions, compensating controls, owner. |
Supplier or third-party impact, Operational, Legal or regulatory, Reputational | |||
Software supply chain compromise | Third-party code, package, update, build pipeline, or dependency is compromised. | Incident manager Senior management External adviser | Affected dependencies, SBOM, vendor notices, patch status, forensic findings. |
Legal or regulatory, Financial, Reputational | |||
Open-source licence breach | Software use may breach copyleft, attribution, source disclosure, or licence terms. | Senior management External adviser | Component list, licence terms, product use, legal assessment, remediation. |
Legal or regulatory, Financial, Reputational, Customer or client impact | |||
Payment card data incident | Cardholder data environment, PAN, authentication data, or payment terminal compromised. | Senior management External adviser | Card data scope, acquirer notice, forensic report, PCI evidence, customer impact. |
Financial, Operational, Legal or regulatory | |||
Banking access compromise | Online banking credentials, payment approvals, mandate, or treasury system compromised. | Senior management External adviser | Bank contacts, access changes, transaction review, payment freezes, fraud reports. |
Legal or regulatory, Financial, Customer or client impact, Reputational | |||
Customer money or assets risk | Client money, custody assets, safeguarding, or segregation may be inaccurate or impaired. | Board or executive committee External adviser | Reconciliations, shortfall estimate, customer impact, FCA notice, remediation. |
Legal or regulatory, Financial, Reputational | |||
AML control failure | Screening, monitoring, KYC, suspicious activity, or sanctions controls fail materially. | Senior management External adviser | Control outage, affected customers, alerts backlog, MLRO decision, remediation. |
Legal or regulatory, Operational, Financial | |||
Legal hold required | Litigation, investigation, inquiry, regulator request, or claim requires evidence preservation. | Senior management External adviser | Hold notice, custodians, systems, preservation scope, acknowledgements, collection log. |
Legal or regulatory, Reputational, Operational | |||
Evidence tampering risk | Logs, documents, devices, footage, or records may be altered, deleted, or concealed. | Senior management External adviser | Chain of custody, preservation actions, access restrictions, forensic images. |
Operational, Legal or regulatory, Reputational, Financial | |||
Serious employee misconduct | Misconduct involves fraud, harassment, safety, data, violence, theft, or senior staff. | Senior management External adviser | Allegation, HR file, suspension decision, investigation notes, outcome letter. |
Operational, Legal or regulatory, Reputational | |||
Workplace violence or threat | Physical assault, credible threat, weapon, stalking, or serious intimidation occurs. | Senior management External adviser | Incident report, police contact, witness statements, risk assessment, support offered. |
Employee welfare emergency | Immediate risk of self-harm, severe distress, unsafe working, or welfare emergency. | Senior management External adviser | Welfare actions, emergency contacts, HR advice, confidentiality controls, support offered. |
Operational, Legal or regulatory, Reputational, Financial | |||
Fire or evacuation incident | Fire, smoke, alarm, evacuation, fire system failure, or unsafe premises issue. | Incident manager Senior management | Evacuation log, fire service contact, alarm data, risk assessment, remedial works. |
Financial, Legal or regulatory, Operational | |||
Panel adviser requirement | Policy requires approved legal, forensic, PR, or loss adjuster before major spend. | External adviser Senior management | Policy clause, insurer approval, panel appointment, scope, cost authorisations. |
Operational, Legal or regulatory, Financial, Reputational | |||
Specialist expertise required | Internal team lacks expertise for forensics, legal advice, PR, safety, tax, or sector rules. | External adviser | Reason for appointment, scope, engagement letter, advice received, decisions. |
Operational | |||
Incident owner unavailable | Assigned incident owner cannot act, is conflicted, or lacks authority. | Team lead Incident manager | Reassignment decision, authority level, handover notes, contact attempts. |
Operational, Legal or regulatory, Customer or client impact | |||
Out-of-hours major incident | Incident arises outside normal hours and may need urgent decisions or notifications. | Incident manager Senior management | On-call contacts, response times, approvals, decisions, next briefing time. |
Legal or regulatory, Operational, Customer or client impact, Supplier or third-party impact | |||
Multi-jurisdiction impact | Incident affects UK plus overseas customers, staff, regulators, contracts, or operations. | Senior management External adviser | Countries affected, local counsel, notification map, communications, deadlines. |
Financial, Legal or regulatory, Reputational | |||
Transaction or M&A impact | Incident may affect due diligence, warranties, disclosure, completion, valuation, or financing. | Board or executive committee External adviser | Transaction documents, disclosure analysis, buyer or seller notices, board approvals. |
Legal or regulatory, Financial, Reputational, Customer or client impact | |||
Public procurement compliance issue | Incident affects tender fairness, exclusion risk, contract performance, or public authority duties. | Senior management External adviser | Tender records, conflict logs, authority correspondence, standstill impact, advice. |
Legal or regulatory, Reputational, Financial | |||
Conflict of interest | Incident involves undisclosed interest, related party, procurement conflict, or conflicted decision-maker. | Senior management Board or executive committee | Conflict declaration, recusals, decision minutes, mitigation, independent review. |
Legal or regulatory, Financial, Reputational, Supplier or third-party impact | |||
NDA or confidentiality breach | Protected information is disclosed contrary to NDA, contract, bid rules, or court order. | Senior management External adviser | NDA terms, disclosure facts, recipients, notice obligations, remedial steps. |
Legal or regulatory, Financial, Reputational, Operational | |||
Court order or injunction risk | Incident may breach court order, undertaking, disclosure duty, or injunction. | Board or executive committee External adviser | Order terms, breach facts, legal advice, remedial action, court communications. |
Legal or regulatory, Financial, Reputational, Supplier or third-party impact | |||
Export control concern | Controlled goods, software, technology, or dual-use items may be exported unlawfully. | Senior management External adviser | Item classification, destination, licence status, shipment records, legal advice. |
Legal or regulatory, Financial, Reputational, Operational | |||
Right-to-work compliance issue | Employee may lack valid right to work or checks are missing or defective. | Senior management External adviser | Check records, visa status, Home Office guidance, HR actions, legal advice. |
Operational, Supplier or third-party impact, Customer or client impact, Financial | |||
Data centre or hosting incident | Hosting, colocation, cooling, power, connectivity, hardware, or facility incident affects service. | Incident manager Senior management | Facility notices, affected racks, failover status, provider tickets, recovery time. |
Operational, Customer or client impact, Financial | |||
Capacity exhaustion | CPU, storage, bandwidth, licence, queue, or staff capacity threatens service availability. | Team lead Incident manager | Capacity metrics, trend, emergency changes, cost approvals, prevention plan. |
Legal or regulatory, Financial, Operational | |||
Software licence compliance issue | Unlicensed, overused, unauthorised, or audit-triggering software use identified. | Senior management External adviser | Licence count, usage evidence, vendor notices, remediation, settlement authority. |
Legal or regulatory, Financial, Reputational, Operational | |||
Regulatory licence condition breach | Incident may breach sector licence, authorisation, permit, approval, or undertaking. | Board or executive committee External adviser | Licence condition, breach analysis, regulator notice, corrective plan, approvals. |
Operational, Financial, Legal or regulatory, Reputational | |||
Board reporting required | Incident is material, strategic, recurring, unresolved, or outside delegated authority. | Board or executive committee | Board paper, timeline, decisions sought, risk assessment, action tracker. |
Financial, Operational, Legal or regulatory | |||
Delegated authority exceeded | Response requires spend, settlement, contract change, write-off, or risk acceptance beyond authority. | Senior management Board or executive committee | Authority limit, requested approval, rationale, approver, conditions, decision. |
When Should A UK Incident Response Plan Require Escalation?
Escalation criteria should not be limited to technical severity. UK organisations should escalate quickly where an incident may involve personal data, regulated services, financial loss, vulnerable customers, safety risks, contractual notification duties, or senior stakeholder attention.
Which UK Legal And Regulatory Triggers Need Fast Escalation?
- Personal data breaches should be escalated immediately where there is a possible risk to individuals, because the UK GDPR requires notification to the ICO without undue delay and, where feasible, within 72 hours.
- Cyber incidents affecting FCA-regulated firms should be escalated to senior management and compliance where they may be material, because firms may need to notify the FCA promptly.
- Reportable safety, fraud, AML, sanctions, and market-abuse concerns require escalation beyond the operational team because evidence preservation and regulatory notification decisions are time-sensitive.
What Evidence Should Be Kept When An Incident Is Escalated?
For each escalation, retain a concise audit trail showing what happened, when it was identified, who made the escalation decision, who was notified, and what actions were approved. For data protection and regulated-sector incidents, keep the risk assessment, notification decision, regulator correspondence, customer communications, technical logs, and legal advice records where applicable.
How Should Escalation Levels Be Designed?
Use tiered destinations: routine contained issues can go to a team lead; cross-functional or unresolved incidents should go to an incident manager; regulatory, financial, customer, media, or supplier-critical issues should reach senior management; existential, market-sensitive, or governance-critical incidents should reach the board or executive committee; specialist issues should involve an external adviser, such as cyber forensic, legal, PR, insurance, or safety specialists.

FAQs
You Might Also Be Interested In



