How to build a cyber incident response plan

Having a CFC cyber policy is great protection from a cyber attack, but it's also important to have a incident response plan. So if an incident occurs, your business knows exactly what to do.

Cyber Article 2 min Wed, Sept 4, 2024

Developing a robust cyber incident response plan (IRP) is a sure way to help your team (and your cyber insurer) respond effectively to a cyber incident, greatly reducing the impact it can have on your business. But in order to create an effective plan, it does require some time and consideration from the senior members of an organisation.

A good plan is tailored specifically to your business and should be based on what threats or risks are most likely. For example, if your business handles or stores sensitive data, a data breach could be the most devasting of attacks. Whereas, if your business heavily relies on digital platforms to transact sales, a ransomware attack could be the threat you need to plan for.

If you'd like something to get started with, CFC's incident response experts have produced our own comprehensive IRP template that you can download and share with you clients. you can find it here. But if you'd like to create your own, we recommend the below.


A cyber incident response plan should include 5 key points:

  1. Key contacts

    People that will need to be contacted should an incident occur for example, your cyber insurer, IT persons, senior management, legal representatives, HR and external communication teams. Consider the risk of people being unavailable - include at least two contact methods and two or more people/groups.

  2. Escalation criteria

    To be used to determine how serious the response to an incident should be. A severity matrix is a good idea to help define what would classify the incident as a critical, high, medium, or low severity event.

  3. A basic flowchart or process

    This should cover the incident response life cycle and how your business will respond at each stage of:

    - Preparation
    - Detection and analysis
    - Containment, eradication and recovery
    - Post-incident activity

  4. Contact number or chat

    A dedicated internal phone number or chat group, available for important conversations regarding the incident.

  5. Regulatory requirements

    Basic guidance on legal or regulatory requirements, such as when to engage legal support, HR, or when to follow evidence capture guidelines.


In addition to these 5 key points, you may also want to consider:

  • Checklists to use to ensure all necessary tasks have been carried out and to see what task needs to be done next.
  • Forms for documenting and tracking the incident and for the post-incident review.
  • Playbooks/guidance on specific types of incidents to detail responses for common and high-risk incidents.

If you'd like to start from a template, CFC's incident response experts have produced our own comprehensive IRP template that you can download and share with you clients, you can find it here

 

Check out our other cyber security related resources in our cyber hub. For any other questions, please don't hesitate to reach out at cybermarketing@cfc.com.