Information security incidents are increasing both in number and in scope. In consequence, the General Data Protection Regulation and the Directive on security of network and information systems force organisations to report such incidents to a supervision authority. Due to the growing of both the importance of managing incidents and the tendency to outsourcing, this study focuses on IT-consulting firms and highlights their vulnerable position as subcontractors. This study thereby addresses the lack of empirical research on incident management and contributes valuable insights in IT-consulting firms’ experiences with information security incident management. Evidence from interviews and a survey with experts at IT-consulting firms focuses on challenges in managing information security incidents. The analyses identify and clarify both new and known challenges, such as how the recent regulations affect the role of an IT-consulting firm and how the absence of major incidents influences stakeholder awareness. Improvements of IT-consulting firm’s incident management process need to address internal and external communication, the information security awareness of employees and customers and the adequacy of the cost focus.