The IR provider, the company, and the company’s outside counsel also typically draft and refine a three-party agreement in advance to ensure an IR provider works at the direction of outside counsel during the breach to protect attorney-client privilege, according to Burn.
“All of this greatly increases the efficacy of the provider during a breach,” she says.
The benefits of an IR retainer
Cybersecurity leaders face a global talent shortage, says Candrick. Simply put, there isn’t enough qualified cybersecurity talent to fill current demand.
“Therefore, incident response retainers are one way to quickly augment the in-house cybersecurity team or outsourced managed security service provider when advanced capabilities and additional headcount is needed during a severe or complex incident,” he says.
In addition, cyber insurance policies typically require a cybersecurity incident response retainer, among other requirements. So, organizations that are looking for cyber insurance policies or already have such policies in place will likely need to have a retainer to comply with those policies, according to Candrick. In fact, many insurers maintain their own panels of preferred retainer services, breach coaches, and other services.
Additionally, incident response retainers enable companies to better manage costs, says Javier Dominguez, CISO at Commvault, a provider of enterprise data protection software.
“You gain the benefit from having a pre-negotiated hourly rate and allocated budget should you need to exercise the retainer,” he says. “Not having [an incident response retainer] will place you at a disadvantage to negotiate and budget appropriately.”
What is included in an IR retainer?
According to Kayne McGladrey, IEEE senior member and field CISO at Hyperproof, a provider of automated performance management software, an incident response retainer typically consists of the following elements:
- A comprehensive strategy for incident response that decreases the likelihood and financial impact of a data breach.
- Round-the-clock access to experts in incident response.
- Established communication channels and response playbooks to expedite recovery.
- Plan development and testing for managing incidents, along with creating a playbook.
- Support for remediation, crisis management, and communication after a breach occurs.
- Forensic tools for quickly addressing and reducing the impact of specific cyber threats.
- Training programs to boost an organization’s ability to detect and prioritize threats and minimize the time an attacker remains undetected.
Should companies buy or build incident response capabilities?
There are many operating models in this space, says Bryan Willett, CISO at Lexmark. “An organization could decide to completely outsource their entire security practice and incident response would be included,” he says.
“Or a company may deem that it is important for them to own the responsibility of managing cybersecurity risk within their organization. In this case, they will need to assess their response maturity and augment appropriately.”
There are only a few organizations in the world with all the expertise necessary to respond to a significant cyber incident, Willett adds. Even so, it is important for them to consider the potential legal liability associated with any incident and bring in third parties to collect the appropriate evidence in the event there is litigation surrounding an event.
“When considering this, it is important to work closely with your legal team and cyber insurance carrier to ensure that you’re taking the right steps to satisfy your insurance carrier’s claim requirements,” he says.
Should small or large companies get an incident response retainer?
Determining whether an organization should build or buy incident response capabilities depends on the company, as small organizations most likely won’t have the budget and headcount that would allow them to retain skilled incident response experts on staff, says Brandon Leiker, principal solutions architect, security at 11:11 Systems, a managed infrastructure solutions provider.
Additionally, they likely wouldn’t have situations occurring frequently enough to allow incident response experts to maintain their skill sets.
Larger organizations, however, may have the budgets and employees to allow them to retain incident response experts on staff, according to Leiker. They may also have the frequency of cyber incidents that would allow for employees with those skills to maintain and continue to hone their abilities.
Those internal employees would likely be able to appropriately address small to medium cyber incidents, but they still may need additional assistance to handle very large and serious cyber incidents, he says.
“[However], Incident response retainers can be a vital part of your organization’s incident response strategy regardless of whether you’re a small organization without the resources to build out incident response capabilities internally or a large organization that needs to augment its incident response capabilities,” Leiker says.