Skip to main content


A CISO’s guide to cyber risk: Responding to a cyber incident

Birdseye view of a road through a forest in winter with red car driving with headlights on

Cyberattacks and security incidents are an ever-present threat for all organisations, with one-in-five UK businesses recently identifying a sophisticated attack such as denial of service, malware, or ransomware. Embedding an incident response plan into business-as-usual activities can enable an organisation to respond calmly and effectively during a cyberattack. 

In the first article in our guide  to cyber risk for chief information and security officers (CISOs), we examine the steps an organisation can take before and during a cyber incident to mitigate its impact.

What does a good incident response plan include?

Marsh recommends that organisations have an incident response plan in place that defines its activities to detect, analyse, and remediate a cyber issue to restore normal operations as quickly as possible. Robust incident response plans include an escalation strategy, in case an attack spirals or becomes protracted, and a matrix to guide judgment of an event’s severity in order to determine priorities. 

External and internal incident teams should be identified, and roles and responsibilities of individuals clearly understood in advance. Including templates for responses to regulators, media, and data subjects in an incident response plan can save a lot of time, should an incident occur. Contingency plans should also be readily available and tested.

Ensure that the plan is kept up to date and is accessible to members of the incident response team even if systems go down.

Organisations should carry out a tabletop exercise at least annually in order to identify weak points in the incident response plan, and feed any lessons learned back into the plan.

Actions to take on the first day of a cyber incident

A cyber incident is defined as one or more information security events that compromise an organisation’s business operations and information security. This may include security breaches, denial of service, breaches of personal data, credential theft, phishing, compromise of systems and accounts, and data loss. 

Once a cyber incident has been determined, an organisation should do the following:

1. Gather the facts and invoke the incident response plan 

As far as you are able, establish what has happened and the nature of the incident. Importantly, determine which systems and devices have been affected and if any data has been impacted.
Follow your incident response plan and ensure teams do not operate in silos. It is important that you work alongside key stakeholders across the organisation (including legal, risk management, communications, human resources, and finance) when required.  

2. Notify insurers and broker 

Contact insurers and brokers immediately, so they can triage and provide support and guidance. If the incident takes place out of office hours, cyber policies contain a 24/7 hotline which should be contacted, in the first instance. 

3. Seek external help 

Reach out for third-party expertise, when needed. Cyber insurance policies come with a panel of advisers, vetted and approved by your insurers. Prior approval is almost always required from insurers for vendors not on the panel. If you do engage vendors that are not on your panel, this should be communicated to your broker and insurer as soon as possible. Your insurer should also be updated with statements of work as they are produced. 

Acting swiftly and competently in the first 48 hours of an attack is crucial to contain the incident and keep an organisation operational. 

Personal data breach

Establishing whether the incident has resulted in a personal data breach, and exactly what data has been affected, is fundamental in determining if a regulator needs to be notified. In the UK, an organisation is legally obliged to report breaches of personal data within 72 hours of becoming aware of them to the Information Commissioner’s Office (ICO), unless it can show the breach is unlikely to pose a risk to individuals’ rights and freedoms. 

Gather your incident response team

Once these initial steps have been taken, the CISO will typically work together with the insurers’ incident response panel to resolve an event. An incident response panel generally includes:

  • Forensic information technology experts, who work to determine the nature and scope of the attack and to contain and isolate it. They also collect and preserve digital evidence. 
  • Lawyers, to ensure an organisation’s response to the attack complies with relevant laws and regulations.  
  • Communications strategists, who help an organisation decide on key messages and how to relay them to their different audiences. 
  • Ransom negotiation specialists to provide threat intelligence on the threat actor group and where required, to conduct any negotiations.   

Marsh recommends that the CISO meets with any vendors they might want to engage with ahead of an event to understand how they work and, in turn, for the vendor to understand the organisation’s incident response process.

Establish a position on ransomware

Ransomware negotiators will normally be part of an incidence response panel. However, the decision of whether to pay a ransom or not lies with the organisation. It is recommended that an organisation discusses its stance on this complex issue ahead of an event. This can be a good topic on which to engage the board, potentially opening and informing a more general conversation on cyber incident management. 

Reduce risk of human error 

Some 95% of cyber issues can be traced to human error. Organisations should integrate cyber security training in their culture and clearly define for employees what constitutes a cyber incident, and actions that could unintentionally trigger a policy. 

How Marsh can help

  • Incident management: Marsh can help formulate your cyber incident response and support you during and after an incident. 
  • Onboarding sessions: Marsh can explain how your cyber policy works, the panel of vendors available to you, and how you can maximise your coverage.
  • Engagement with the board: Marsh can help you engage with your board either through cyber incident simulations or bespoke tabletop exercises.