Attorney Insight: Effective Incident Response Planning

Cybersecurity threats often surface with little to no warning, catching organizations off guard and forcing them into a reactionary posture. Many companies feel confident in their level of preparedness, but the true measure of that readiness is exposed only when a cyber incident occurs. Without a functional and practiced Cyber Incident Response Plan (CIRP), even the best intentions can fall short, leaving businesses vulnerable when it matters most.

Based on our experience handling hundreds of security incidents, this article provides companies with best practices for developing, testing, and refining the CIRP while outlining five of the most important, and often overlooked, components of an effective response plan.

The Cyber Incident Response Plan

A Cyber Incident Response Plan is an essential framework that organizations use to systematically prepare for, respond to, and recover from cybersecurity incidents, such as systems intrusions and data breaches. A well-designed CIRP identifies key response team members and outlines specific procedures to ensure a swift and effective response, enables organizations to minimize the damage caused by cyber incidents, and reduces operational downtime, financial loss, and reputational impact, particularly when sensitive information is at risk. A CIRP may be required under state or federal regulations, depending on your industry or the types of data your organization processes.

Five Essential Elements of a Cyber Incident Response Plan

The Incident Response Team

The Incident Response Team (IRT) is the cornerstone of any CIRP, comprising both internal and external members that are approved participants in the organization’s response to a security incident. While the composition of an IRT is necessarily based on available personnel and technical resources, the internal team is often headed by an executive, e.g., CIO, CTO, or CISO, and typically includes IT and cybersecurity professionals, legal advisors, and representatives from key departments such as human resources and communications. Externally, the team may also include cybersecurity response and remediation consultants, the company’s cyber insurance broker and carrier, and outside legal counsel specializing in incident response.

Bad actors are agnostic to holidays or vacations. Therefore, backup team members should be identified and included in the CIRP to ensure continuity in case primary members are unavailable during an incident. A detailed contact list should be maintained, including phone numbers, email addresses, and alternate communication methods (see below) to guarantee that designated team members can be reached quickly and discreetly. This contact information should be regularly updated and accessible, preferably in a secure, offline, and readily available format, ensuring that the team can mobilize immediately when an incident occurs.

Perhaps most importantly, the IRT must be qualified to participate in response activities through regular education and training. Incident response actions should be reflexive — time spent digesting and debating the nuances of your plan during an incident will have a direct impact on the outcome of your response. As such, IRT members should participate in attack simulation (tabletop) exercises in coordination with experienced cybersecurity counsel at least once per year.

The Communications Plan

At a minimum, every CIRP should include a basic, discretionary communications plan. This plan will outline both internal and external communication protocols and approval procedures, ensuring that accurate and consistent information is disseminated to all relevant parties. Internally, the plan must define the process for informing executives, the IRT, and employees about the incident, including what information should be shared and when. Externally, the CIRP should memorialize how the organization will communicate operational disruptions to customers, partners, stakeholders, and regulatory authorities, taking into consideration any contractual obligations that may dictate notification timelines or content. The plan should also outline procedures for managing media inquiries and public relations to control the narrative and protect the organization's reputation.

Given the high risk of email compromise during an incident, the communications plan should include redundancy measures such as alternative communication channels ( e.g., third party messaging apps) so that critical information can still be exchanged promptly and securely. Never rely on personal phone numbers or email accounts to exchange incident response communications, as those accounts and all content within could be subject to discovery in litigation or regulatory action.

Evidence Preservation

Evidence preservation is a critical component of the CIRP, particularly for ensuring that the organization can conduct a thorough post-incident investigation and meet any legal or regulatory requirements. When responding to a cyber incident, your IT and security personnel may be under immense pressure to contain active malware and recover impacted systems and data.  An uncontrolled “tunnel vision” approach beset with pulled plugs and wiped systems greatly increases the risk of destroying evidence needed to determine the scope of impacted systems, accounts, and legally protected information. Without evidence to definitively rule out unauthorized access to certain systems and data, regulators, attorneys general, and your business partners will assume the worst. To be clear, erasing log or system data from a single machine could be a costly mistake.

Practically speaking, the CIRP should detail the process of securely capturing and storing all relevant data related to the incident, including logs, emails, system snapshots, and impacted physical systems. This evidence must be collected in a manner that maintains its integrity and prevents tampering or loss, which is crucial if the incident leads to legal action or regulatory scrutiny. Chain-of-custody procedures should be established and followed to document who handles the evidence, when, and why.

Ransomware Considerations

Ransomware poses unique legal, operational, and reputational challenges that must be addressed within the CIRP. Organizations should establish clear policies and thresholds for making decisions about whether to pay a ransom, which may include approval processes involving senior executives or board members. These policies should take into account the legal, financial, and operational implications of making a payment, including the risk of violating Office of Foreign Assets Control sanctions. It is essential to consult with experienced cybersecurity counsel and the organization’s cyber insurance carrier to understand the potential consequences of payment and to ensure that any actions taken are compliant with the organization’s insurance policies and applicable laws and regulations.

Additionally, the plan should outline steps for safely navigating ransomware incidents, such as the retention process for outside counsel and other external IRT members, engaging with law enforcement, considering alternative methods for data recovery, and understanding the potential impact of paying or refusing to pay the ransom. Involving external experts who specialize in ransomware negotiations and payments can provide critical guidance during such incidents and should be included in the CIRP.

Escalation Procedure

An effective escalation procedure ensures that incidents are promptly reported to the appropriate levels of management and external parties. The procedure should define clear criteria for escalating an incident based on factors such as severity, the type of data involved, the potential impact on business operations, and legal or regulatory obligations. For example, incidents involving sensitive customer data or critical infrastructure might require immediate notification to senior executives, the board of directors, and potentially external entities such as law enforcement or regulatory agencies. The escalation process should also specify the communication channels to be used and the format of the information that needs to be conveyed, ensuring that appropriate stakeholders receive accurate and timely updates to inform their decision making.

Additionally, the CIRP should include a step for engaging external experts, such as outside legal counsel and cybersecurity consultants, when the complexity or scale of the incident exceeds the organization's internal capabilities. By identifying these thresholds and clearly outlining the escalation process, the CIRP ensures that the response is proportional to the incident's severity and that all necessary stakeholders are informed and involved in a timely manner.

Validating Your Incident Response Plan

Simply having a CIRP in place is a great first step, but maintaining and pressure-testing the plan is equally as important as its initial development. It should be a living document that evolves as the organization’s technology landscape, threat environment, and business operations change. This requires periodic reviews and updates to incorporate lessons learned from training scenarios and past incidents, changes in technology or product, and new regulatory requirements. By testing and refining the CIRP at least once per year, organizations will increase their resilience in the face of evolving cyber threats.

***

Need guidance drafting, updating, or testing your organization’s Cyber Incident Response Plan? We would love to help. Contact us via our website rittergallagher.com or reach out to a Ritter Gallagher attorney at contact@rittergallagher.com.