Cyber incidence response planning 101

Mark Greisiger, president of NetDiligence, on how captives can prepare and defend against cybersecurity threats.


Cyber incidents have become an unfortunate way of life – in some sense, they might even be considered a cost of business for our continued use of increasingly networked digital technologies.

Indeed, when Accenture recently surveyed business executives, 78% said that they don’t know how or when a cybersecurity incident might affect their organisations.

The only way forward is to embrace the uncertainty of cyber risk and prepare for it head on with cyber incident response planning.

This is especially important for captively insured companies seeing your own capital is at risk.

Captive Review (CR): What is a cyber incident response plan?

Mark Greisiger (MG): A cyber incident response plan is a detailed and holistic playbook for what to do when a data breach, cyberattack or other cybersecurity incident occurs. Having a well-thought out, practiced and easily accessed incident response plan is a foundational best practice of cyber risk management in that it helps organisations prevent a bad situation from becoming a worst-case scenario when an incident occurs.

CR: Should you develop an incident response plan for your organisation?

MG: Yes. Given that many cyber incidents lead to chaos and confusion, having an incident response plan in place is crucial for preventing organisational chaos and mistakes. Effective cyber response requires multiple sequential steps, cross-department collaboration, on-the-spot decision making as well as timely execution. On the other hand, a poor or slow response can incur more financial and reputational damage for companies by amplifying the impact of the incident, thus creating more legal or regulatory exposure, or destroying critical data altogether. Add to that lost business partners and customers, business interruption losses, onerous fines and other costs, and cybersecurity incidents are a problem no organisation wants. As such, a formalised incident response plan is increasingly required by cyber insurers, regulators, third-party partners and even clients. Incident response plans help organisations mitigate risks and are a must-have for any cybersecurity risk management programme worth its salt.

CR: What should your cyber incident response plan cover?

MG: An optimal incident response plan covers preparation, detection and analysis, containment, eradication and recovery, as well as post-incident activity. It should also account for multiple different scenarios such as data breaches, ransomware attacks, phishing attacks, malware, business email compromise (ACH wire fraud), and internet-facing vulnerabilities – each with specific and actionable steps. In addition, a comprehensive and actionable incident response plan should include:

  • roles, responsibilities and 24/7/365 contact information for critical internal and external response teams
  • protocol and contact information for reporting a cyber insurance claim to your provider or captive programme
  • rules for categorising the severity of an attack to determine the appropriate response strategy
  • an inventory of network assets and data and where they reside
  • response sequences for contacting and engaging Breach Coach® counsel, forensics teams, as well as other third-party providers
  • internal communication protocols
  • recovery exercises along with suggested next steps
  • breach notification procedures
  • a list of action steps in a predetermined and logical sequence.

CR: Why should you practice your cyber incident response plan?

MG: Once a plan has been developed, it should not be simply stowed away on the shelf. After all, a plan is only as good as it is in practise and can be put into action when the time comes. However, before you can practise your incident response plan, it’s important to ensure the plan is sound. Before it’s practised internally, an incident response plan should be reviewed by a breach coach – a data breach consultant or cybersecurity expert who typically acts as a first responder – to ensure it meets the requirements of relevant laws and regulation at both the state and federal levels. Since the breach coach expert will most likely be on hand to coordinate the response with external partners such as forensic companies and IT restoration services, as well as the insurance carrier’s claims department, their input is critical for success.

CR: How should you practise your incident response plan?

MG: Most people are not at their best during a crisis, so the first time key players on your team see your incident response plan should not be the moment when an incident has occurred. To make sure that all parties understand what is in the plan, their roles and whether the plan covers all needed bases, your organisation must review and practise the plan. The best way to do that is by running through various cybersecurity ‘fire drills’, also known as tabletop exercises. A tabletop exercise allows you to walk through a data-breach event before it actually happens.

Typically, the exercise is facilitated by an outside expert such as a breach coach or forensics expert who walks through simulated security incidents step by step in real time, asking critical questions of staff in order to determine what actions should be taken to respond. Bring together internal stakeholders such as the executive team, IT, the security team, essential third-party service providers and functional leaders, along with external stakeholders such as insurance brokers, carriers, outside legal counsel, cyber response firms and law enforcement so that they will be better prepared to collaborate when/if an incident occurs.

Test key elements of the response processes, such as alerting procedures and restoring data from backups. Practising an incident response plan also helps perfect or improve the plan before it’s actually needed. Key personnel can use the process to identify the plan’s oversights and gaps, and then address all the above with revisions to the plan. Considering that an effective incident response plan is a living document, plans should be reviewed, tested and updated frequently to account for organisational changes, new threats, new regulatory requirements and new technology. It is recommended to run cybersecurity fire drill exercises, at minimum annually. Some aspects of the plans, like your business recovery functions, should ideally be tested quarterly to ensure that they are still operating as expected.

CR: What are common mistakes to avoid in activating your incident response plan?

MG: Once you’ve developed and tested or practised your incident response plan, you should be well-prepared to put it into action when needed. Here are some common pitfalls to avoid:

  1. Don’t rely on your normal infrastructure for storage of your incident response plan and key response resources: When under attack or a system failure, your network or cloud storage may well be down and you need access to your incident response plan and supporting documents. Consider a turnkey incident response plan solution like Breach Plan Connect®, which offers a ready-made, pre-written incident response plan which is customisable and accessible 24/7 via mobile app.
  2. Don’t be caught by surprise if an event takes place late at night, on a weekend or during holiday hours: According to a 2020 report by FireEye, 76% of ransomware attacks happened outside normal business hours, simply because criminals know that’s when you’re least prepared to respond. Build this very real scenario into your plan and ensure you have the correct information on file to reach all pertinent parties both after-hours and on weekends.
  3. Don’t let a lack of buy-in from your response team hamper your efforts: First responders may skip steps that they don’t agree with or see as important. This may create more unnecessary risk for your organisation. It’s crucial that internal personnel understand the steps and more importantly the reason why they are part of the plan so they follow the plan as it was designed.
  4. Don’t engage directly with threat actors before consulting with specialists: Though it’s tempting to communicate with someone that’s holding your data for ransom, be sure to have the input of trusted experts to guide you.
  5. Don’t discuss the incident with anyone unless directed by legal counsel – that includes regulators or people impacted by the incident: There are many good reasons to keep an incident under wraps until you understand the scope of the incident and your legal obligations. Your lawyer or breach coach will let you know when it’s appropriate to share such information.
  6. Don’t delete any files or disrupt evidence on the scene: This will be needed for forensic investigation as well as any potential litigation or regulatory enforcement down the road.

For more information about incident response planning and cyber risk management, visit

12 August 2024
5-6 November 2025

AM Best affirms ratings of Shell’s two Texas captives

Solen Versicherungen AG mostly writes offshore and onshore property and liability risks, as well as the associated business...

South Carolina approved 23 new captives in 2023

There were 221 captives domiciled in South Carolina at the end of last year, up from 208 at...

edHEALTH appoints new board member

Ben Hammond is chief financial and administrative officer from The Lawrenceville School in New Jersey   edHEALTH has...

Marsh Mangrove SPC licenced in Cayman

The segregated portfolio company was licenced by the Cayman Islands Monetary Authority in April as a Class B...