In today’s digital landscape, cyber incident threats are inevitable. Organizations must be prepared to respond effectively and efficiently when a cyber incident happens. According to the National Institute of Standards & Technology (NIST), an incident response plan (IRP) is a document that provides instructions for an organization’s response to a cybersecurity incident. Cybersecurity incidents include, but are not limited to a data breach, ransomware attack, data leak or business email compromise. An IRP guides organizations in detecting and identifying a cyber incident, responding to a cyber incident, mitigating consequences and minimizing losses related to a cyber incident. An IRP also guides organizations in preventing the reoccurrence of a cyber incident, as well as correcting potential vulnerabilities and restoring an incident-impacted system. 

With the growing number of cyber threats facing modern organizations, there is a need for preparedness, implementation, feedback, and review of an IRP. This article outlines recommended practices for drafting and reviewing an organization’s IRP. 

Key Objectives of an IRP
An IRP prepares an organization to manage a cyber incident when it happens by minimizing the impact of an incident while helping to ensure an effective and efficient response. For organizations in heavily regulated industries or organizations collecting, processing, or storing vast amounts of personally identifiable information (PII), personal health information (PHI), electronic personal health information (ePHI), or other types of sensitive information, IRPs support their cybersecurity posture and preparedness. In addition, IRPs support organizations in mitigating legal liabilities by demonstrating their efforts to protect sensitive data in their possession. 

Essential Elements of an IRP 
A well-drafted IRP includes four core components: identification of potential cyber incidents; containment of the incident to limit the impact; eradication and recovery, removing the threat and restoring the organization’s operations; and post-incident analysis to learn from the incident, improve systems and update the IRP for future responses.

Recommended Practices for Drafting an IRP

• Involve cross-functional teams: An IRP requires a multi-departmental effort to ensure the plan is comprehensive. Members of different functions, including IT, legal, HR, and communications, should engage in the process. 
   
• Clearly define roles and responsibilities: The successful execution of an IRP requires that team members be assigned specific roles and tasks at the outset to save time and hit the ground running when a cyber incident occurs. For instance, the IRP commander leads the response team, technical members lead the investigation, and communications lead internal and external messaging. 
   
• Assess risk and identify critical assets: The IRP should be tailored to the specific organization and industry. The organization should assess potential industry-specific risks from cyber incidents and identify critical assets requiring protection and prompt remediation due to the operational impact a lack of access could have on the organization.
   
• Categorize the cyber incident: The IRP should incorporate distinct types of responses to address different categories of cyber incidents. A business email compromise requires a different approach than a ransomware attack; both require a plan.
   
• Document the IRP and provide yearly updates: Ad hoc committees and plans are not effective or efficient when dealing with a cyber incident. Organizations should document their IRP and perform an annual review to update roles, responsibilities, risk assessment and critical assets. 

Recommended Practices for Reviewing and Updating an IRP

• Tabletop exercises: Regular training, testing, and simulations involving the plan help teams practice their responses, reveal gaps, and identify areas in need of improvement. It is not enough to have a plan in writing. The IRP team should practice its action plan to ascertain its effectiveness. Organizations should aim to do an annual tabletop exercise. 
   
• Post-incident analysis and learning lessons: After an organization experiences a cyber incident, it should perform a post-incident analysis to assess what worked well, what did not and determine areas in the IRP requiring an update.
   
• Stay current regarding new threats: It is almost impossible to stay current regarding all the latest threats organizations face. However, it is helpful for an organization to be aware of new threats related to an organization’s specific industry. Assigning a business team, committee, or IRP member the task of periodically informing the IRP team about the latest threats can keep everyone informed about potential cyber threats targeting the business and highlight updates required in the IRP. 
   
• Compliance and auditing requirements: Certain organizations have stricter regulatory requirements – both state and federal – regarding their cybersecurity programs. These industries include the health care, financial and insurance sectors. An organization’s regular review, assessment, and updates of its IRP may support compliance with such regulations. 
   
• Align the IRP with the organization’s business continuity or disaster recovery plan: Cyber incidents tend to disrupt business operations. An IRP should align with the business’s continuity or disaster recovery plan. Such alignment ensures that the relevant business teams involved in the investigation and remediation of a cyber incident are aware of and support each other during an incident. 
   
• Internal and external communications: The IRP should include a communications plan that reflects the organization’s general communication style. It is important to recognize that a cyber incident is not always a cyber breach; there are distinctions between the terms that have different legal implications. Communications personnel can and should be involved in supporting business teams that are part of the IRP to ensure the use of the correct terminology based on the stage of the cyber incident.
   
• Keep insurance information current: When an IRP is activated, all relevant insurance information should be current and easily accessible for the team member responsible for contacting the cyber insurance company. 
   
• Enlist outside counsel ASAP: Involving outside counsel with expertise in incident response during a cyber incident investigation, remediation, and other related steps is essential for several reasons. First, outside counsel with expertise in incident response will pull together the vendors necessary for the investigation, remediation, and, if applicable, notices regarding the incident. Second, incorporating outside counsel while executing an IRP will protect certain communications under privilege so that all parties involved can move forward and focus on remediation. Third, outside counsel will provide legal guidance regarding regulatory and individual notice requirements applicable to the organization; timely assessment and determination will help the organization stay compliant with legal requirements while protecting consumers whom the cyber incident may impact. 

A robust IRP is essential for any organization, particularly in highly regulated industries. Proactively preparing an IRP with clearly defined roles and responsibilities, conducting an annual plan review, and updating the provisions as new cyber threats or changes are identified can support an organization’s cyber incident preparedness. Of course, the nature of the IRP will depend on your organization’s needs, threats, vulnerabilities and objectives, all of which should be considered in how to prepare an IRP specific to your organization. The practices outlined above, however, can help organizations improve their resilience against cyber threats, minimize risk and protect their assets and customers.