Cyber liability and data breach insurance specialist Ian Birdsey of Pinsent Masons, the law firm behind Out-Law.com, said, though, that businesses face a challenge in drawing up such plans themselves and said companies can often gain access to the network of experts they need if they take out cyber insurance policies.
"As a study by Symantec showed earlier this year, having a formal cyber incident response plan can help businesses reduce the costs they will inevitably incur in the event that they experience a data breach," Birdsey said. "It is important for companies to first understand what they plan to do in the event of a breach."
"A comprehensive incident response plan is likely to include reference to a network of experts in different jurisdictions who can help businesses with services ranging from IT forensics, PR, credit monitoring, customer engagement and general crisis management. However, it is a complex and significant exercise for companies to pre-appoint experts in the event of a breach and decide who should manage each aspect of that breach, particularly since the nature of a breach will remain unknown until it occurs," he added.
"The market for cyber liability and data breach insurance is growing. Insurers, as part of these products they are selling, often provide businesses with access to their own network of experts they have developed to help policy holders manage cyber incidents. Businesses should consider whether there is greater value in taking out cyber insurance so as to have hassle-free access to the network of experts, or whether to go it alone," Birdsey said.
The expert was commenting after management consultancy McKinsey flagged common faults it said it had identified in businesses' cyber incident response plans.
It said out of date policies on how to act in the event of a breach or vague wording of that documentation can render plans useless. A failure to integrate plans across the different "business units" of companies can also hamper efforts to manage responses to incidents affecting the entire organisation, McKinsey added.
The consultancy also said that incident response plans built on "tribal knowledge and existing relationships" can cause problems.
"When asked about incident response, many organisations will identify one or two 'go to' people who have the institutional knowledge to guide the organisation," McKinsey said. "This may result in a single point of failure when the resident expert is not available or does not have the capacity to identify and manage all the moving parts of a complex breach scenario."