No organisation is immune from a cyber incident, so one of the key aspects of cyber risk management is having a strong incident recovery plan in place.

Author: Johnty Mongan


Cyber incidents often occur without warning and at inopportune moments. When they do, the unfolding crisis can cause conflicting opinions on the necessary action and also impair people’s judgement, so it’s important to have a documented and agreed plan in place to guide your response.

Despite the increase in cyber-attacks in recent years, and the constantly changing nature of the threats, less than one fifth of businesses have a formal incident response plan for managing cyber incidents.1 Even more concerning, one in ten organisations has no plan at all.2

The four stages of a cyber-attack

To understand how to protect your organisation from a cyber-attack, you first need to understand how an attack works. In general, there are four stages to a cyber-attack.3

Survey—investigating and analysing available information about the target in order to identify potential vulnerabilities.

Delivery—getting to the point in a system where the attacker has an initial foothold in the system.

Breach—exploiting the vulnerability/vulnerabilities to gain some form of unauthorised access.

Affect—carrying out activities within a system that achieve the attacker’s goal.

19% of businesses have a formal incident response plan for managing cyber incidents.1

1 in 10 organisations do not have a cyber incident management plan at all.2


How to prepare your response plan

Work out your threat actors—one of the key factors in preparing your organisation’s response plan is working out the ‘threat actors’ (the groups or individuals capable of carrying out a cyber-attack) relevant to your organisation. This can help you make decisions on what you are actively going to defend against.

Contain the incident—it is important to contain the incident before it overwhelms resources or increases damage. To do this you will need to first determine the ‘how, what, where and when’ to confirm what kind of incident you are facing. Then, swift action will be needed to contain and isolate the affected systems. After the incident has been contained, eradication may be necessary to eliminate components of the incident, as well as identifying and mitigating all vulnerabilities that were exploited.

Take the necessary action—your plan must clearly state what action needs to be taken and by whom. This could involve, for example, calling in a contracted incident response company, taking down a public-facing website, notifying the relevant supervisory authority of a data breach, making a statement to the media, etc.

Investigate, recover and remediate—investigating the incident thoroughly with the help of a digital forensic team can help you understand the cause of the attack and what data has been compromised. This can help uncover any unpatched vulnerabilities or security loopholes that you may need to address.

Cyber incidents can occur in countless ways, so it’s difficult to develop step-by-step instructions for handling every single possibility. This is why partnering with a cyber risk management specialist can be so important—regardless of the size of your organisation or the sector you work in.

Gallagher’s Cyber Incident Response Clinics

Gallagher’s Cyber Risk Management team runs regular webinar clinics, providing a deep insight into how to plan and prepare for cyber incidents. The clinics provide a small, informal setting where we will help you identify, analyse and evaluate where the risks may be within your IT estate.

These sessions are aimed at the questions you should be asking about your cybersecurity and how to conduct a successful ‘lessons learned’ exercise in the event of an attack—allowing you to strengthen your cyber defences. To find out more about these webinars and how to book a place, click here.

Author Information


The sole purpose of this article is to provide guidance on the issues covered. This article is not intended to give legal advice, and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and/or market practice in this area. We make no claims as to the completeness or accuracy of the information contained herein or in the links which were live at the date of publication. You should not act upon (or should refrain from acting upon) information in this publication without first seeking specific legal and/or specialist advice. Arthur J. Gallagher Insurance Brokers Limited accepts no liability for any inaccuracy, omission or mistake in this publication, nor will we be responsible for any loss which may be suffered as a result of any person relying on the information contained herein.