Preparing for and Responding to Cybersecurity Incidents, Second Edition

We are pleased to present the updated edition of our guide: Preparing for and Responding to Cybersecurity Incidents. We are grateful for the positive response to the prior edition of this handbook and hope that this updated version will help you continue to refine your incident response capabilities. This new edition reflects insights gained over the past five years as we have worked with many of you on the most significant cybersecurity issues that you face.

An effective, legally defensible response to a cybersecurity incident should be tailored to the unique features of the incident, the corresponding legal and business risks, and the company’s culture. Still, we have seen several common principles repeatedly emerge across contexts. These principles—which are reflected throughout this handbook—merit consideration as businesses evaluate and refine their own incident response capabilities.

Preparation Pays Off

Effective preparation, tailored to the risks that each company faces, and its systems, processes, and culture, can make the difference between an effective and ineffective incident response. And preparation is an ongoing process. Ongoing refinement of relevant plans and playbooks, and periodic exercises and training are part of the steady-state function of effective incident response programs.

Diverse Threats Require Broad Capabilities

Businesses face a broad range of risks from a diverse array of threat actors, from data thefts by insiders to ransomware or extortion attacks by criminal groups or nation states. A company also may face attacks on different types of systems, from enterprise systems or operational infrastructure, to connected manufacturing or smart products. Response capabilities tailored to a point-of-sale data breach are unlikely to support an effective response to a manufacturing incident, to give just one example. As a result, a company will benefit from maintaining response capabilities that correspond to the range of risks that it faces.

Judgment Makes a Difference

Incident response teams are called upon to make numerous judgment calls, such as when to disclose an incident, how to balance containment and evidence preservation, and when to escalate response decisions to a company’s most senior leadership. Sound judgment—informed by experience—can make all the difference in determining whether the response to an incident will ultimately prove effective in managing risks to the enterprise.

Coordination is Critical

A cybersecurity incident can put seemingly countless demands on a business, including forensic investigation, communications, negotiations with business partners, regulatory notification across jurisdictions, and engagement with law enforcement. Decisions made in each field can have significant knock-on effects, making it vital for a company to coordinate the various work streams pursued during the incident response process.

Incidents are Increasingly Global

Significant cybersecurity incidents now increasingly span across borders as affected systems or individuals, or relevant records, may be located in multiple jurisdictions. Managing incidents across jurisdictions can require significant internal coordination on a global scale, tailored tools and preparation activities, as well as the support of an exceptional international network.

As reflected in these principles, cybersecurity incident response continues to grow in complexity and consequence for today’s businesses. We hope that this revised edition of Preparing for and Responding to Cybersecurity Incidents will be a valuable resource for in-house counsel, executives, and other stakeholders as they continue to hone their incident response capabilities to meet these important challenges.



Request a copy of the guide