So You Had a Cyber Incident. Now What?

By Emily Short

So You Had a Cyber Incident. Now What?

A step-by-step guide

A cyber incident has occurred.  Most companies then ask “now what?”  It’s not a position any company wants to be prepared for, but unfortunately, it’s no longer realistic to completely eliminate the chances of experiencing a cyber incident.  Instead, the goal should be to reduce the risk and impact of an incident when one occurs.  And, recent studies and real-life examples show that the steps taken after a cyber incident are just as important as the preventative measures taken beforehand.  The speed with which an organization can recognize, analyze, and report an incident will greatly reduce the reputational damage done, and lower the costs expended to recover.

IBM Security and Ponemon recently released the 2019 Cost of a Data Breach Report, which showed the average total cost of a data breach was $3.92M, and the average size of a data breach was 25,575 records.  Those numbers are staggering, and they will continue to increase in the future.  According to the report, lost business resulting from loss of consumer trust was the largest of four major cost categories that contributed to the total cost of a cyber incident.

The risks associated with a cyber incident cannot be ignored, and proper response is paramount.  So the real question is “now what?”

Activate the Incident Response Plan

If you suspect a cyber incident has occurred (or is occurring), activate the company’s incident response plan (IRP).  The IRP provides the roadmap by which organizations intake, evaluate, and respond to a suspected or actual incident.  Ideally, the IRP will help you navigate the murky waters in a clear and concise way.  There are many examples of companies who have mishandled the aftermath of a cyber incident.  These companies likely didn’t follow a pre-set plan, or may not have had one in place.  Mishandling the response to a cyber incident has lasting effects, including increased regulatory scrutiny and class action lawsuits.

Engage your Insurance Broker and Cyber Insurance Carrier

If cyber insurance is purchased, you should also engage your insurance broker and cyber insurance carrier.  Beyond complying with any notice requirements, a quality cyber policy will provide coverage for breach response costs, and many carriers utilize preferred vendors at discounted prices.  These vendors can assist with engaging a breach coach, providing a forensics team to assess the cause and impact of a breach, and hiring a PR company to help draft an appropriate response for the public.  Cyber incidents have become so prevalent that some cyber specialty vendors will not return phone calls unless a pre-existing relationship with a carrier exists.  These vendors simply don’t have time to respond to everyone who calls them.

Coverage doesn’t relieve companies of their obligations under state and federal laws, but the offerings provided by a policy can assist with responding to a breach.


According to the IBM Security and Ponemon Report, the average time to identify and contain a cyber incident was 279 days: 206 days to identify a breach and 73 days to contain a breach.  The study found that financial costs associated with a breach were significantly lower for breaches with a lifecycle of less than 200 days ($3.34M vs. $4.56M respectively).

Once a cyber incident is identified, cybersecurity consultants and computer forensic firms should be engaged to determine the extent, cause, and scope of the breach.  A company should be prepared to articulate what happened, and what they are doing to prevent the incident from happening again when the time comes to disclose the breach to the public.  A thorough investigation is essential.

Similarly, a legal review should be conducted by a “breach coach” or attorney specializing in data privacy matters.  Beyond determining whether the incident is actually a breach, the breach coach can assist with any notification obligations and regulatory inquiries.

When appropriate, law enforcement should also be engaged.  Cyber incidents generally stem from criminal activity, and law enforcement has the authority to pursue perpetrators.


Often, customers are more concerned with how an organization responds to a cyber incident than the fact that one occurred.  Although customers want companies to protect and manage their data responsibly, many understand a cyber incident can occur even with the best cybersecurity controls in place.  How a company handles the aftermath is often discussed more than the data lost.

Disseminating accurate and timely information minimizes the impact of a cyber incident.  Today’s consumer expects, and demands, rapid responses to crises, whether it’s a cyber event or physical peril.  The internet, social media, and the 24-hour news cycle create both opportunity and risk as it relates to PR/crisis communications.  Appropriate communication cannot be overlooked.


In addition to communicating the details of the cyber incident to the public, companies need to be prepared to report the incident to the proper regulatory bodies.

With the ever-changing regulatory landscape, it’s important that companies know which regulations apply to their organization, and what those regulations entail both from a security measure standpoint and a data breach reporting standpoint.  For example, under GDPR, simply failing to notify a breach within 72-hours is a violation, and the fines are severe.  Covered entities found to be in breach of the GDPR can be fined up to 4% of annual global turnover, or €20M, whichever is greater, depending on the nature of the breach.

As of May 1, 2018, all 50 states, the District of Columbia, Puerto Rico, and the US Virgin Islands have data breach notification laws, none of which are consistent.  Under some, biometric data may be considered personally identifiable information which triggers a notification obligation; under others, notification may not be required if the breached data was encrypted.  Although many have pushed for federal privacy legislation, it has yet to become a reality, so attention must be paid to these various regulatory requirements.

Conduct a Postmortem

Operational resilience is the ability to restore the company to normal business operations following an incident.  Once restored, most companies want to move forward and forget the cyber incident occurred.  However, conducting a postmortem is a vital step in the process.  The postmortem is a way to review what happened during the life of the incident, including the detection, analysis, and response processes.

Taking the time to learn from the incident will help you determine what went right and what needs to be improved.  Ask yourself what went smoothly?  What would you do differently next time?  Did your incident response plan work?  Do you need to re-evaluate your risk management posture?  Use the experience to improve the overall incident response process.


It’s crucial companies not only invest in preventative measures, but also focus on their response.  As mentioned, the ultimate goal is to limit the effects of a cyber incident.  Businesses must move from consistently reacting to breaches to preventing and limiting incidents.  The ability to detect compromises early and respond quickly greatly minimizes the overall damage.


Emily consults on risk management and insurance solutions across a variety of industries, with a particular focus on technology, venture capital, and private equity risks. Emily previously worked as a cyber and technology insurance broker at one of the largest international brokers.  Prior to that, Emily was practicing law, focusing on professional liability insurance defense.  In addition to her Juris Doctor, Emily completed the Certified Information Privacy Professional (CIPP/US) designation and the Registered Professional Liability Underwriter (RPLU) designation.  She is licensed to practice law in Kansas and Missouri and has her Kansas insurance license. Connect with Emily on Linked here