Incident response and incident response planning

by John Bandler

Incident response planning and incident response is an important part of cybersecurity and good organization management.Incident response planning and incident response

All cybersecurity frameworks (e.g. cybersecurity best practices) include a component of incident response planning.

Legal requirements exist regarding incident response. This means organizations cannot simply do whatever they want, they need to look to laws and regulations, and ensure their response is in compliance.

Incident response planning has many benefits for organization management and cybersecurity. Organizations that think about and plan for the many troublesome incidents that could occur, realize the benefits of preventing those incidents, and prioritize accordingly.

Suffering from an incident right now?

If you are suffering from a cyber incident right now, you should consider these items. Of course, you may not have these dedicated personnel in house, or lined up externally, and every incident represents a compromise between what you would do with unlimited resources and time, and what you can do with existing resources.

  • Check your incident response plan, activate the incident response team
  • Contact your attorney/general counsel
  • Contact your information security/information technology experts
  • Contact your insurance company
  • Contact law enforcement
  • Contact necessary experts in investigation, forensics, etc.
  • Investigate and gather facts
  • Evaluate legal requirements
  • Evaluate various options as you proceed, try to pick the best choice
  • Reporting and notification to government and affected individuals may be required by law. If not required it might be advisable nevertheless.

Types of incidents

There are a number of types of cyber incidents organizations should be aware of and plan for. These include cybercrime related, natural disasters, and other human issues.

These are high priority cyber incidents

Other incidents can sometimes call for similar planning and response, including:

  • Active shooter
  • Serious crime
  • Serious injury or death

Legal requirements

The law may require you to do certain things. There are data breach reporting and notification laws, which under certain circumstances require organizations to notify the government and affected people of a data breach. If you are holding a person's personal information, and that information was accessed by a cybercriminal, you may need to notify that person, and the government.

This implies a duty to properly investigate incidents. Rest assured that government regulators are wise to the fact that many organizations would prefer to interpret facts as if nothing happened, and not to examine things too closely. Government is unlikely to show leniency for organizations or individuals who conceal, cover-up, or lie. We hope that government is fair for organizations that do their honest best regarding cybersecurity and reporting.

The possibility of a data breach or other improper data access, and related reporting requirements, needs to be explored for any type of cyber incident, including email compromise, ransomware, lost laptop, and more.

If you have cyber insurance, your cyber insurance policy with the carrier is a contract, and may impose legal obligations on you, including to notify the insurance carrier of a cyber event.

Note that I always call this the "cyber insurance policy", and that is different from a "cybersecurity policy" or procedure your organization might create as an internal rule for the organization.

Your incident response plan

You should have an incident response plan, and it should be of appropriate detail (or generality) for your organization.

For small organizations, I bundle the incident response plan with the cybersecurity policy (written internal rule), so that they are together in a single document, together, for ease of maintenance and review, and so no one forgets about the incident response plan.

If you do not have an incident response plan, see the one in my free cybersecurity policy.

The incident response

Incident response should include these things

  • Activate the incident response team and necessary personnel
    • Team leader and other personnel
    • Digital forensics
    • Information technology
    • Information security
    • Legal counsel
    • Compliance, anti-money laundering (AML), fraud investigations,
    • Public relations/communications
  • Investigate and gather facts. Without knowing facts, we cannot possibly make good decisions.
  • Analyze applicable law (consult lawyers as needed)
  • Contain the attack
  • Get the attackers out
  • Mitigate any damage
  • Try to recover any stolen funds quickly (before they leave the country)
  • Consider notification requirements, and if not legally required, if otherwise warranted
    • Law enforcement (federal, state, local, etc.)
    • Crime reporting portals (IC3, FTC, etc.)
    • Regulatory reporting regarding data breach (state attorney generals, regulators, etc.)
    • Notification to affected individuals
  • Recover
  • Repeat
  • After action review, analyze root causes, how to prevent it in the future, how to respond better in the future


After twenty years in law enforcement and having written a book on cybercrime investigation, this is close to my heart. Again, we need facts to make good decisions, and gathering facts requires investigation. Organizations need to do a diligent, reasonable investigation to gather facts, assess those facts, evaluate applicable laws, then make a sound decision.

It is not law enforcement's job to investigate for private organizations. Law enforcement is there to conduct criminal investigations in the name of the public and in the interests of justice. Thus, if organizations need facts and information, they need to gather those facts themselves.

Have a good decision making process

Organizations need to make a lot of decisions during an incident, including who to hire and what costs to incur. The idea is there is already a good decision making process in place. This is part of good management (governance).

Get through the incident

The goal is to get through the incident, protect the organization, comply with laws, and minimize the damages.

Though these events are very draining, organizations should try to improve themselves in the process (see next).


After the incident, organizations should try to improve themselves. This means identifying areas for improvement, what caused or contributed to the incident, evaluating how the response went, and thinking about improving for the future.

There can be a fine line between finger pointing, blaming, shifting blame, and honest assessment of deficiencies.

But at some point, the organization should assess what went wrong, and consider how to improve.


This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.

This is to inform, you assume all risk for cybersecurity decisions you make. This is a work in progress. This is a limited amount of words.

I may explain nuances further in other articles, or one of my books. Other experts may have differing opinions.

Ask ten different IT or IS experts, you will get ten or more different definitions for a term, and as many different recommendations for cybersecurity posture. Cybersecurity is about decisions and risk management.


If you are a cybercrime victim, see the resources here, and contact me if you need professional assistance.

If your organization needs help with improving its cybersecurity and identity theft protection, feel free to contact me.

Additional reading

This article is hosted at, copyright John Bandler, all rights reserved.

Originally posted 6/17/2023, updated 6/10/2024.