Don’t Let First Responders Be the Last to Know: The Benefits of an IR Retainer and Tips to Maximize its Value

Stroz Friedberg is a specialized risk management firm built to help clients solve the complex challenges prevalent in today’s digital, connected, and regulated business world

A frantic call to 9-1-1 about a burning building and firefighters are quickly dispatched to contain the blaze. As they race to the scene, they are already in possession of intimate details of the building’s layout. They know where structural dangers may exist, and this allows them to jump in without hesitation to begin containment of the blaze.

In the case of a cyber attack, the crisis level feels much the same—the viability of the organization is at risk—but unless the company has taken the initiative to have “firefighters” on call, ready to spring into action, the impact of a cyber emergency can rapidly escalate and become insurmountable. Negotiating fine print contract terms with first responders in the middle of a cyber crisis, as attackers siphon out critical data and cover their tracks wastes valuable days. The time to establish and prepare your team of responders is before emergencies happen.

Having a team of incident responders on retainer is vitally important to minimizing the damage of an attack. Beyond simply ensuring that a company will be able to make a 9-1-1 call to someone, a retainer provides the comfort of guaranteed response times. It gives you the opportunity to find a service provider that is a good match for your company. You can collaborate with the team you’re hiring before an incident occurs, providing the contracted responders the opportunity to understand your architecture, operations and processes, and giving you a chance to get to know them and their methodologies outside of a crisis. This ingrains incident response into the fabric of your information security risk management efforts, greatly enhancing your ability to recover from an attack and ensure business continuity.

The following tips can help you maximize the value of this ongoing relationship:

  • Communicate key elements of the agreement with the IR firm to internal stakeholders
    One key advantage of an IR retainer is the confidence that knowing responders are on call whenever they are needed brings to the organization. But if the obligations of the response firm and the timeline they are expected to adhere to aren’t clearly communicated throughout the organization, expectation mismatches among responders and key stakeholders can derail response efforts at a time when close coordination is critical. Organizations should ensure awareness of important details of the response plan among all levels of management – including executive leadership and the board of directors – including: who the in-house and external team members are, how quickly responders are guaranteed to be on site, and each team member’s role.
  • Formally rehearse the IR plan with your external incident response team (IR team)
    Have all of the parties in your company who are involved in your IR plan participate in “tabletop” rehearsals at least once per year. This will give your internal and external teams the opportunity to familiarize themselves with each other and formally integrate the IR firm into your plan—defining when the firm will be activated, what specific roles it will play and when. In particular, the internal security team needs to be familiar with the IR provider’s resources who are available by way of the agreement. Rehearsals encourage cohesiveness among all of the internal and external parties who need to play a role when a cyber crisis occurs, ensuring you can function as one united team, working effectively and efficiently toward a common goal when minutes, and even seconds can count.
  • Socialize capabilities, key concerns, and internal gaps with your external responders
    Familiarize the IR firm with the environments within which they’ll be working. Show them critical parts of the infrastructure and where there may be visibility limitations, and detail in-house capabilities and gaps. This way your responders will know your capabilities, key concerns, issues, and obstacles, enabling them to avoid known dead ends and respond to incidents more quickly and effectively.Additionally, many IR teams can perform risk and readiness assessments and proactively recommend solutions before crisis strikes.

At its most basic, having an IR team on retainer ensures rapid response time, which is a key factor in mitigating the risk of reputational and financial damage from a breach. But there is so much more the retainer can do for a firm if its leadership proactively devotes the time and effort required to ensure success. It’s the difference between simply having access to 9-1-1, and having a team of local firefighters with blueprints to your building who can respond and contain a fire quickly and effectively, and often before irreversible damage is done.


Our lawyers don’t want to miss out on the fun and would like you to know that all of the posts are the opinions of the individual authors and don’t necessarily reflect the opinions or positions of Stroz Friedberg. The ideas and strategies discussed herein may not be appropriate for any one reader’s situation and are not meant to be construed as advice.

Risk Areas: Cyber

I am: In the C-Suite or a Director

Tags: incident response, cyber attack, cyber resilience, incident response retainer



Commentary, new discoveries, and innovative ideas right to your inbox.

Stroz Friedberg

Sorry! You are using an older browser which is not supported by this website.

Please download one of these free browsers to enjoy all our website has to offer:
Firefox, Chrome or Internet Explorer.