Article

Best practices for cyber incident readiness

Creating and testing a cyber incident response plan before an incident occurs has long been a proven best practice.

Incident response planning is one of the 12 cybersecurity controls that most cyber insurers ask Marsh clients about during the underwriting process. And rightfully so. Creating and testing a cyber incident response plan before an incident occurs has long been a proven best practice. Persistent and pervasive cyberattacks underscore this need, whether they occur due to bad actors looking for economic gain or state actors working under political motives. 

It’s time to say goodbye to the incident response plans of “cyber past” and welcome a new approach.

As organizations that have experienced a cyberattack are learning, a cyber response is a complicated project to manage. Modern day cyber incident response plans should be refreshed, with a new focus that takes into account evolving forms of cyberattacks, such as ransomware, and the increased sophistication of cyberattackers.

When developing or updating incident response plans, your organization will be well served to incorporate new best practices, including:

Host incident preparation response plans off-network in a location that can be safely accessed by all incident response team members.

Time is a precious commodity when responding to an attack in today’s cyber threat landscape. Attackers will often enter a network and encrypt its data, making it impossible to access any pre-determined plans or time-sensitive contractual requirements, preventing the possibility of a rapid response. The ability to quickly access and execute the incident response plan can mean the difference between success and failure.

Establish a secure, off-network, cyber “war room” and communication channel for incident response team members and external incident response vendors to communicate.

Safe and secure communication is extremely important when responding to an attack. Any type of confidential information, including copies of cyber insurance policies, should not be emailed or shared on the corporate network. If the network is compromised, this information could fall into attackers’ hands and be used against your organization. For example, attackers that have located cyber insurance policies have been known to match their extortion demands with cyber policy limits, gained access to credentials, and/or attended incident response virtual meetings.

Build and test response workflows for each type of incident to which your organization may be exposed.

Incident response tools, resources, and protocols are not one size fits all. Responding to an incident is incredibly complex. For example, how an organization handles a ransomware demand should differ from the response to an accidental data breach. All incident response team members should thoroughly understand — and prepare for — their precise role during a cyber incident.

An agile and modern cyber incident response plan works together with other critical information — such as clearly identified team members and a copy of the cyber insurance policy. When stored on a secure cloud-based platform outside of your organization’s network, the plan can avoid slow response times and reduce the financial and reputational impact of a cyber incident.

At Marsh, our focus is on helping you to promote better cyber outcomes and to build sustained cyber resilience.

Marsh’s Cyber Incident Management team has partnered with Cygnvs to provide you with a unique solution for emerging risks. By leveraging the Cygnvs platform, you will be equipped to quickly respond and manage a cyber incident. Access to the platform is free for all brokerage clients of Marsh’s Cyber Practice.

Cyber Incident Management

Learn how to access Marsh's safe and secure incident response platform, as well as how we can help you modernize an existing cyber incident response plan or build one from the ground up.

Related articles