Article

Cyber incident management: A checklist for business resilience

Today’s digital risk landscape demands more than technical responses. It requires strategic, company-wide readiness. Resilience and recovery can depend on preparation, coordination, and execution. When the pressure is on, a well-rehearsed response plan can make all the difference.

While no organisation wants to experience a cyber incident, they are increasingly frequent today, making proactive preparation critical. The tone from the top of an organisation plays an important role. Organisations may want to consider viewing incident preparation as an opportunity to shore up defences and foster a cyber-resilient culture. By adopting a mindset focused on readiness, organisations may be able to turn a potential crisis into a more manageable event, with the goal of minimising operational, financial, and reputational impact.

Organisations that prioritise planning and training not only may be more effective and confident, but can reduce the cost of an incident as this may shorten recovery time, as well as potentially aid with insurance claims. From ransomware attacks and accidental data leaks to third-party outages and AI-enabled threats, today’s digital risk landscape demands more than technical responses. It requires strategic, company-wide readiness. Resilience and recovery can depend on preparation, coordination, and execution. When the pressure is on, a well-rehearsed response plan can make all the difference.

“The biggest difference between organisations that manage incidents well and those that don’t is that the former actually follow the plan they’ve written.” Martin Leicht, US Cyber Claims Advocacy and Incident Management Leader, Marsh

“Many people still think of cyber incidents as hacker break-ins, but they can just as easily come from insiders. Another misconception is that these are IT problems, but a cyber breach in a manufacturing firm, for example, can cause physical damage.” Edson Villar, LAC Cyber Risk Consulting Leader, Marsh

1. Understanding cybersecurity incidents

Today’s attackers are often highly professional and work in sophisticated organisations. Rather than using brute-force attacks to reach their targets, they increasingly use social engineering, insider access, or other means to steal credentials. They do not break into the organisation; they log into it. Once there, they might wait for months before acting.

But not all cyber incidents are caused by malicious actors, and not all of the causes are obvious. Many incidents stem from basic human error or outdated systems and flawed processes, such as a failure to deactivate credentials when someone leaves the business. Below are some of the incident types to consider when planning a response.

Ransomware: Threat actors encrypt the data in a system and demand a ransom to release it. In some cases, they might also exfiltrate the data and threaten to release it publicly. Dealing with an incident like this can disrupt operations for weeks, potentially incurring significant costs due to business interruption.
Business email compromise: This is an email-based social engineering attack that appears to come from a legitimate source, with the goal of deceiving employees or vendors into sharing sensitive information or transferring funds. Strict verification procedures and employee training can help mitigate this risk.
Outages: In addition to malicious attacks, third-party platform failures or accidental system misconfigurations can cause unexpected downtime.
Data breaches: Personally identifiable information (PII), financial data, intellectual property, or other sensitive information is exposed, either accidentally or because of infiltration by an attacker.
AI threats: Although generative AI has not been used to create a new type of attack, it can accelerate existing threats by helping to attackers expand or accelerate their efforts, through techniques such as deepfake-driven phishing and automated credential stuffing.

“Much of what we see today isn’t about breaking in. It’s about logging in using stolen credentials, for instance, to operate as a legitimate user.” Jeff Bird, Cybersecurity Advisory Lead, Marsh

“You want to move fast, but you also need to understand the attacker’s tactics. If you act without knowing how they work, you risk making things worse.” Edson Villar, LAC Cyber Risk Consulting Leader, Marsh

2. Incident preparation

The most effective responses tend to start long before an incident occurs. Preparation is about more than IT controls; it is about readiness across the entire organisation. Having a plan can be essential, but for the plan to be effective, it must be understood, regularly practiced, and kept updated as internal and external circumstances change.

A common planning weakness is that businesses fail to coordinate across departments. The chief information security officer (CISO) might think they understand the organisation’s essential processes and prioritise restoring them in the event of an outage, but the operations team might be expecting other processes to be restored first. For example, IT might prioritise getting the email system back online while the finance department is urgently waiting for the enterprise resource planning (ERP) system so they can process payroll. It is also important to note that, in many cases, the CIO — not the CISO — is responsible for system restoration. While their responsibilities may differ, their priorities should be aligned, with the goal of obtaining an effective response. Alignment between internal teams and external stakeholders may also be critical when it comes to insurance claims.

These misalignments can cause costly delays if they are not identified and dealt with during the planning phase.

Preparation checklist

Develop and maintain a written incident response plan (IRP), and review it often, ideally quarterly.
Define roles and responsibilities across key areas, including technical, legal, PR, and operations. Verify that the C-suite knows its responsibilities.
Many attacks will cripple communications systems, such as email and company phones. Identify and test a secure out-of-band (OoB) communication platform, such as Marsh Central, that enables your organisation to communicate off network.
Coordinate backup strategy with operational priorities and regularly test backup restoration procedures.
Align stakeholders on preferred vendors for legal, forensics, PR, and crisis communications. Verify that your insurer has pre-approved these firms to support a smoother claims process. Build a relationship with these vendors before an incident happens, enabling them to understand your response plan.
Conduct regular tabletop exercises at technical, management, and board levels. These used to happen once a year, but it is now recommended to carry them out more frequently.
Confirm cyber insurance coverage, notice requirements, and vendor pre-approval.

Cybersecurity awareness training combined with ongoing vulnerability management can be essential for building cyber resilience. Organisations that prioritise proactive training and implement rigorous vulnerability assessments and patching procedures were found to be better equipped to reduce risks posed by evolving cyber threats.

Employee training checklist

Consider implementing an employee training campaign focused on the risks associated with social engineering attacks.
Update awareness training and communications content, at least annually.
Verify with your security leadership that help desk procedures have been recently reviewed and strengthened, if necessary, as they are often easy attack targets.
Additionally, establish a secure out-of-band (OoB) communication platform for activities beyond incident
Coordination with your broker and train leaders on its use – potentially during a tabletop exercise.

“It’s easy to invest in tools and plans, but when the building is on fire, many don’t use them. We see clients not even using the tools they have put in place.” Martin Leicht, US Cyber Claims Advocacy and Incident Management Leader, Marsh

“Tabletop exercises should happen at three levels: technical, operational, and executive. Each group faces different challenges and needs to rehearse accordingly.” Jeff Bird, Cybersecurity Advisory Lead, Marsh

3. Incident Response

When a cyber incident happens, the initial reaction is often confusion. It can be hard to know what exactly is happening, how is it happening, and what the immediate steps should be to contain it. Time is of the essence but so is discipline. Having a good plan in place is one of the best ways to help confirm that the important questions are addressed, and that the right actions are taken. Jumping too quickly to recovery, or failing to coordinate legal, technical, and reputational strategies, can worsen the impact.

One potential mistake is wiping and re-imaging devices too soon, destroying valuable evidence that would be useful to investigators or erasing data that is not backed up elsewhere. Another common problem is when teams restore from backup without knowing how long an attacker has been in the system. It is possible the backup is also compromised.

Active response checklist

Activate your incident response plan and notify insurers immediately.
Use your OoB platform to maintain secure communication.
Contain the threat: isolate affected systems and limit the blast radius.
Involve legal counsel, digital forensics, and breach response specialists early.
Evaluate ransomware situation with support (and insurer consent if payment is considered), if relevant.
Align internal and external messaging.

“One common mistake is rushing straight to recovery. Without full analysis and eradication, you give the attacker the upper hand.” Edson Villar, LAC Cyber Risk Consulting Leader, Marsh

“You’d be surprised how bumpy it can be getting breach counsel or forensic teams aligned, especially when they’re not pre-approved by the insurer.” Martin Leicht, US Cyber Claims Advocacy and Incident Management Leader, Marsh

4. Post-incident

Once the immediate threat has been neutralised, the real work begins. As well as the technical task, recovery is a financial and operational challenge that may stretch out.

It is not unusual to have to reconstruct billing records from scratch because backups were either encrypted or incomplete, or to face prolonged downtime because virtual infrastructure configurations were not backed up. At this stage, documentation is vital, both for regulatory compliance and for supporting insurance claims.

Checklist for recovery

Restore systems securely, confirming that backups are clean and free of embedded threats.
Engage forensic accounting to quantify business interruption and support insurance claims.
Retain evidence and documentation for legal and investigative purposes.
Conduct structured lessons-learned workshops across all stakeholder groups.
Update the incident response plan, training procedures, and vendor escalation protocols.
Communicate transparently with affected customers, partners, and regulators.
Review cyber insurance, contractual obligations, and legal frameworks for future preparedness.

“The recovery often takes longer than the breach. It’s the hidden costs that hit the hardest, such as missed billing, lost revenue, and delayed operations.” Jeff Bird, Cybersecurity Advisory Lead, Marsh

“If attackers were in your network for months, they might also be in your backups. Restoring without checking could just restart the breach.” Edson Villar, LAC Cyber Risk Consulting Leader, Marsh

5. Summary checklist

The most resilient organisations tend to treat cyber readiness as an ongoing discipline, not a one-off project. They know incident response is as much about people and processes as it is about firewalls and backups.

Keep this checklist in mind:

Build and regularly test your response plan.
Practice with real tools and real people.
Know your communication strategy, especially when systems are down.
Align internal teams and external vendors in advance.
Use secure out-of-band platforms such as Marsh Central.
Keep insurance informed throughout.
Learn from every incident, even close calls.

“Organisations that get it right think beyond tools. They align their internal and external teams long before the first alert.” Martin Leicht, US Cyber Claims Advocacy and Incident Management Leader, Marsh

“We’re all on the same side in cybersecurity. Consider sharing lessons learned outside your organisation. That helps everyone stay ahead of the next one.” Jeff Bird, Cybersecurity Advisory Lead, Marsh

Please note that the use of a cyber incident management plan, including the above checklists, does not guarantee any result, including the outcome of any potential claim.