"The steps that followed suggest swift escalation to the C-suite, but by the time incident response processes kicked in the data was gone."
This implies that incident response had to be invoked by the C-suite and that the time involved was crucial. In that case there needs to be standing permission for sysadmins to respond immediately. It's an area the relevant regulator will need to check on in deciding what action to take.