by Luke Dembosky, Avi Gesser, Johanna Skrzypczyk, Michael R. Roberts, Andy Gutierrez, and Michelle Huang
As cyberattacks continue to plague U.S. companies, cybersecurity remains a core risk, even for businesses that have invested heavily in technical measures to protect their systems. As a result, cybersecurity best practices have evolved to include not only preventative measures, but also robust preparations for responding to cyber incidents, so that companies can improve their resilience, decrease the time it takes to detect and effectively respond to an attack, and reduce the overall damage. Because nearly every company will at some point face a successful attack, regulators, insurers, auditors, and investors view an incident response plan (“IRP”) as a key element of a reasonable cybersecurity program.
Part of the value of an IRP comes from the process of drafting it, which involves making decisions about how an incident will be handled (e.g., who should be drafting communications to impacted employees, who has the authority to shut down parts of the network, which incidents will be escalated to senior management, etc.). Determining these issues over the course of several weeks while drafting the IRP and consulting with the relevant individuals is much better than working through them for the first time under the stress and time constraints of an actual incident. Well-drafted IRPs also provide checklists of things to do when an incident occurs (e.g., preserve evidence, contact the FBI, notify the insurer, draft a public statement, determine a point-of-contact for external inquiries, etc.).