Incident Response Plan Development

You learn today that your organization is facing some kind of cyber incident. Could be ransomware, highjacked O365 email account, PII or PHI exfiltrated, misconfigured network settings exposing data, etc. What do you do first?
Contact Us

If you have in place a well-thought-out cyber security incident response plan (IRP), you will know how to act swiftly and in the best ways possible to protect your network, operations and reputation. Whether you want to validate an existing IRP or are developing your first plan, Kroll’s experts can help. 

Unrivalled Insight Built into Every Incident Response Plan

As incident responders who every year work globally on thousands of cyber matters, we know the risk landscape well. We also have witnessed the value of organizations being prepared. 

In helping clients develop or validate an IRP, Kroll experts follow a methodology that integrates our front-line experience investigating persistent and emerging threats with guidance from leading security standards, such as the NIST Cybersecurity Framework and CIS Controls™ along with unique considerations based on your environment.

Some of the areas we will help you cover in building your plan include the following:

  • Assembling your incident response team (IRT). 
    Subject matter experts and key resources enterprise-wide should be involved in the response to ensure coverage of specific incident-related issues. 
  • Assigning IRT responsibilities. 
    The role of everyone on the IRT should be outlined and each team member’s responsibilities clearly defined. 
  • Outlining technical protocols. 
    It is human nature for technical teams to want to try and fix something before having to escalate the problem. Unfortunately, this often leads to a loss of critical evidence that has hurt many an organization. We can advise on the steps for IT and security teams to follow upon detecting an issue, including escalation points.
  • Determining authority to call an incident. 
    Your IRP should also cover protocols related to notifying senior leadership, external partners such as outside counsel or your insurance carrier, and regional or industry-specific regulators. 
  • Establishing communications procedures and responsibilities.
    In a crisis, the ability to communicate cannot be taken for granted. We will help you examine and decide how the IRT will communicate securely if corporate email becomes unsafe to use or not accessible due to ransomware. Also, we will help you determine who will communicate with external parties, such as outside counsel, your insurance carrier, law enforcement, the media and regulators. 
  • Gathering and documenting pertinent information. 
    Our experts will help ensure you compile information that will be critical to have in the event of an incident. This includes technical diagrams/schematics as well as comprehensive contact information for key resources such as:
    • IRT members and their alternates (backups)
    • Essential internal stakeholders (e.g., executives and legal counsel)
    • Vendors or providers of specialty services, e.g., investigations, forensics and remediation; breach notification; crisis communications; and cyber insurance 
  • Determining a review and testing schedule.
    IRPs cannot be a create-and-forget exercise. Based on the complexity of your organization, we will help you determine measures for updating the plan organically (e.g., when members leave the company or change roles) and provide for a regular testing schedule (e.g., quarterly or annually). 

Worried about protecting your physical assets and the safety of your personnel? Developing a business continuity plan is key

Kroll’s enterprise security risk management team covers the on-the-ground assistance your organization may need to defend against physical threats of all kinds. Our experts can help you build a comprehensive business continuity/business resiliency plan by determining the overall physical threat landscape, assessing vulnerabilities and setting protocols to respond to unforeseen incidents in the workplace or work facilities. Click here to learn more.

Call for an Incident Response Plan Consultation Today

Beyond the pragmatic guidance that a cyber incident response plan provides, developing an IRP also signals to regulators, data subjects and other principal stakeholders your commitment to proactively address cyber threats. Take advantage of Kroll’s years of unique cyber incident response experience to better prepare to respond to a cyberattack. To learn more about creating an incident response plan or validating and testing an existing plan, contact us today. 


Application Security Services

Kroll’s product security experts upscale your AppSec program with strategic application security services catered to your team’s culture and needs, merging engineering and security into a nimble unit.

Optimized Third-Party Cyber Risk Management Programs

Manage risk, not spreadsheets. Identify and remediate cybersecurity risks inherent in third-party relationships, helping achieve compliance with regulations such as NYDFS, FARS, GDPR, etc.

Third Party Cyber Audits and Reviews

Ensure that your third parties are handling sensitive data according to regulatory guidelines and industry standards with our cyber audits and reviews.


CFIUS Compliance and Review

Helping organizations manage CFIUS, Team Telecom and FOCI requirements.

Incident Response Tabletop Exercises

Kroll’s field-proven incident response tabletop exercise scenarios are customized to test all aspects of your response plan and mature your program.