Existing and new technology

Building Organizational Muscle For Cyber Incident Response

Protect operations revenue and trust

By Marsh Cyber Risk Team

While no organization wants to experience a cyber incident, they are increasingly frequent today, making proactive preparation critical. The tone from the top of an organization plays an important role. Organizations may want to consider viewing incident preparation as an opportunity to shore up defenses and foster a cyber-resilient culture. By adopting a mindset focused on readiness, organizations can turn a potential crisis into a more manageable event, aiming to minimize operational, financial, and reputational impacts.

Boards must treat cybersecurity as a business continuity issue that touches every function. For food and consumer goods companies, a system outage can translate quickly into spoiled inventory, halted production lines, and immediate revenue loss. Directors should expect metrics that map cyber outcomes to business outcomes — days of outage, revenue at risk, and time to validate product safety — rather than just technical indicators.

Organizations that prioritize planning and training not only might be more effective and confident, but can also reduce the cost of an incident, as this may shorten recovery time, as well as potentially aid with insurance claims. From ransomware attacks and accidental data leaks to third-party outages and AI-enabled threats, today’s digital risk landscape demands more than technical responses. It requires strategic, company-wide readiness. Resilience and recovery can depend on preparation, coordination, and execution. When the pressure is on, a well-rehearsed response plan can make all the difference.

Understanding cybersecurity incidents— from human error to AI-driven threats

Today’s attackers are often highly professional and work in sophisticated organizations. Rather than using brute-force attacks to reach their targets, they increasingly use social engineering, insider access, or other means to steal credentials. They do not break into the organization; they log into it. Once there, they might wait for months before acting.

But not all cyber incidents are caused by malicious actors, and not all of the causes are obvious. Many incidents stem from basic human error or outdated systems and flawed processes, such as a failure to deactivate credentials when someone leaves the business. Below are some of the incident types to consider when planning a response.

Ransomware: Threat actors encrypt the data in a system and demand a ransom to release it. In some cases, they might also exfiltrate the data and threaten to release it publicly. Dealing with an incident like this can disrupt operations for weeks, potentially incurring significant costs due to business interruption.
Business email compromise: This is an email-based social engineering attack that appears to come from a legitimate source, with the goal of deceiving employees or vendors into sharing sensitive information or transferring funds. Strict verification procedures and employee training can help mitigate this risk.
Outages: In addition to malicious attacks, third-party platform failures or accidental system misconfigurations can cause unexpected downtime.
Data breaches: Personally identifiable information (PII), financial data, intellectual property, or other sensitive information is exposed, either accidentally or because of infiltration by an attacker.
AI threats: Although generative AI has not been used to create a new type of attack, it can accelerate existing threats by helping attackers expand or accelerate their efforts, through techniques such as deepfake-driven phishing and automated credential stuffing.

Incident preparation — how to build effective cyber response plans

The most effective responses tend to start long before an incident occurs. Preparation is about more than IT controls; it is about readiness across the entire organization. Having a plan can be essential, but for the plan to be effective, it must be understood, regularly practiced, and kept updated as internal and external circumstances change.

A common planning weakness is that businesses fail to coordinate across departments. The chief information security officer (CISO) might think they understand the organization’s essential processes and prioritize restoring them in the event of an outage, but the operations team might be expecting other processes to be restored first.

For example, IT might prioritize getting the email system back online while the finance department is urgently waiting for the enterprise resource planning (ERP) system so they can process payroll. It is also important to note that, in many cases, the CIO — not the CISO — is responsible for system restoration.

While their responsibilities may differ, their priorities should be aligned, with the goal of obtaining an effective response. Alignment between internal teams and external stakeholders may also be critical when it comes to insurance claims.

These misalignments can cause costly delays if they are not identified and dealt with during the planning phase.

Cybersecurity incident preparation checklist

Develop and maintain a written incident response plan (IRP), and review it often, ideally quarterly.
Define roles and responsibilities across key areas, including technical, legal, PR, and operations. Verify that the C-suite knows its responsibilities.
Many attacks will cripple communications systems, such as email and company phones. Identify and test a secure out-of-band (OoB) communication platform, such as Marsh Central, that enables your organization to communicate off network.
Coordinate backup strategy with operational priorities and regularly test backup restoration procedures.
Align stakeholders on preferred vendors for legal, forensics, PR, and crisis communications. Verify that your insurer has pre-approved these firms to support a smoother claims process. Build a relationship with these vendors before an incident happens, enabling them to understand your response plan.
Conduct regular tabletop exercises at technical, management, and board levels. These used to happen once a year, but it is now recommended to carry them out more frequently.
Confirm cyber insurance coverage, notice requirements, and vendor pre-approval.

Cybersecurity awareness training combined with ongoing vulnerability management can be essential for building cyber resilience. Organizations that prioritize proactive training and implement rigorous vulnerability assessments and patching procedures were found to be better equipped to reduce risks posed by evolving cyber threats.

Cybersecurity employee training checklist for readiness

Consider implementing an employee training campaign focused on the risks associated with social engineering attacks.
Update awareness training and communications content, at least annually.
Verify with your security leadership that help desk procedures have been recently reviewed and strengthened, if necessary, as they are often easy attack targets.
Additionally, establish a secure out-of-band (OoB) communication platform for activities beyond incident.
Coordination with your broker and train leaders on its use – potentially during a tabletop exercise.

How to respond when a cyber incident happens

When a cyber incident happens, the initial reaction is often confusion. It can be hard to know what exactly is happening, how is it happening, and what the immediate steps should be to contain it. Time is of the essence but so is discipline. Having a good plan in place is one of the best ways to help confirm that the important questions are addressed, and that the right actions are taken. Jumping too quickly to recover, or failing to coordinate legal, technical, and reputational strategies, can worsen the impact.

One potential mistake is wiping and reimaging devices too soon, which can destroy valuable evidence that would be useful to investigators or erasing data that is not backed up elsewhere. Another common problem is when teams restore backup without knowing how long an attacker has been in the system. It is possible the backup is also compromised. An active response checklist should include:

Activate your incident response plan and notify insurers immediately.
Use your OoB platform to maintain secure communication.
Contain the threat: isolate affected systems and limit the blast radius.
Involve legal counsel, digital forensics, and breach response specialists early.
Evaluate ransomware situation with support (and insurer consent if payment is considered), if relevant.
Align internal and external messaging.

Post-incident cyber security recovery and steps for resilience

Once the immediate threat has been neutralized, the real work begins. As well as the technical task, recovery is a financial and operational challenge that may stretch out.

It is not unusual to have to reconstruct billing records from scratch because backups were either encrypted or incomplete, or to face prolonged downtime because virtual infrastructure configurations were not backed up. At this stage, documentation is vital, both for regulatory compliance and for supporting insurance claims.

Consumer trust is fragile and reparable only with speed and transparency. For consumer-facing brands, how you communicate in the first 24–48 hours can determine long-term loyalty and regulatory scrutiny. Boards should require preapproved messaging templates and a customer outreach playbook tied to technical recovery milestones. Structured recovery protocol:

Restore systems securely, confirming that backups are clean and free of embedded threats.
Engage forensic accounting to quantify business interruption and support insurance claims.
Retain evidence and documentation for legal and investigative purposes.
Conduct structured lessons-learned workshops across all stakeholder groups.
Update the incident response plan, training procedures, and vendor escalation protocols.
Communicate transparently with affected customers, partners, and regulators.
Review cyber insurance, contractual obligations, and legal frameworks for future preparedness.

Cyber readiness as an ongoing discipline

The most resilient organizations tend to treat cyber readiness as an ongoing discipline, not a one-off project. They know incident response is as much about people and processes as it is about firewalls and backups. Keep this checklist in mind:

Build and regularly test your response plan.
Practice with real tools and real people.
Know your communication strategy, especially when systems are down.
Align internal teams and external vendors in advance.
Use secure out-of-band platforms such as Marsh Central.
Keep insurance informed throughout.
Learn from every incident, even close calls.

Continuous improvement means treating exercises and close calls as board‑level learning opportunities. Insist on a structured lessons learned review after every exercise and real incident, with clear remediation owners and timelines. This transforms cyber readiness from a compliance checkbox into a measurable capability that protects customers, revenue, and brand.

Please note that the use of a cyber incident management plan, including the above checklists, does not guarantee any result, including the outcome of any potential claim.