With cyberattacks consistently on the rise, companies must be able to respond and act quickly on all threats to reduce the risks and minimize reputational damages and legal consequences.
Damage often snowballs due to the delays and mistakes organizations make handling these cyber incidents. That’s because the employees who respond to cyber incidents typically only do so when necessary.
However, cyber incidents should ideally be responded to by experts who devote 100% of their time to the endeavor. To bridge security gaps, many organizations hire external providers that offer incident response retainer services rather than retain their own internal incident response teams.
What is an incident response retainer?
An incident response (IR) retainer is a fee paid by a company to an external vendor who agrees to be available in the event of a cybersecurity incident, says Will Sweeney, founder and manager partner of Zaviant Consulting.
“This is a surface-level agreement so that when an incident occurs the company will be prepared to help you deal with the incident and prevent it from spreading or getting worse and turning into a larger problem,” he says.
Such an agreement between an organization and an incident response service provider sets up the parameters in which the two will work together, says Jess Burn, principal analyst at Forrester Research Inc.
A retainer locks in a specific response time when a breach is declared by the organization and it contacts the service provider. This often includes a set amount of time the IR provider will spend on digital forensics and incident response activities during a breach at a set hourly rate, Burn says.
“Often this rate is pre-negotiated between an IR provider and the organization’s cyber insurance carrier,” she says. “Companies with cyber insurance policies typically pick an IR service provider from a panel of providers approved by their carriers.”
Hours spent responding to an incident that go over the amount included in the retainer may be at a different rate than what the company paid upfront, but this is often also negotiated between the insurance carrier and the IR provider, according to Burn. Unused hours often carry over for a period to the next contract year and can be used for other services, such as incident readiness exercises.
Why do businesses need IR retainers?
Cyber incidents are a matter of when, not if, says William Candrick, director analyst at Gartner. While companies can manage and reduce cyber risks, they can’t prevent cyber incidents outright. Therefore, all organizations must have incident response capabilities.
“Most organizations either maintain their own computer security incident response teams and security operations centers or they outsource these capabilities; however, many organizations find that they need additional expertise, capacity, and capabilities on-call during a severe or complex incident,” Candrick says.
Effective management of a cyber incident hinges on three main factors: having qualified professionals, well-defined operational processes, and appropriate technologies in place when the incident occurs, says Shmulik Yehezkel, chief critical cyber operations officer at CYE, a cybersecurity startup in Tel Aviv.
“Without an incident response retainer service contract, complications arise,” he says. “Finding a proficient IR team on short notice can be challenging, and even if these experts are available, they may not possess the specific knowledge required for the incident at hand.”
IR retainers can address unique needs
In addition, each organization has its unique processes and assets, meaning it will take some time for IR teams to become familiar with operational complexities, which could lead to potential errors, Yehezkel says. And since IR teams rely on a variety of technological tools, they may encounter obstacles when they deploy these tools because of such factors as network architecture or existing security measures.
As such, businesses need to select their IR providers — from their carriers’ panels if they’re insured — as soon as possible, according to Burn.
“Don’t wait until you’re under attack to select one,” she says. “The benefit of a retainer is the onboarding process with the IR service provider. Often this provider holds several intake sessions to get to know the organization’s environment (are they cloud, on-prem, or hybrid, for example), their security tech stack, and the skills and competencies of the organization’s internal security team.”
The IR provider, the company, and the company’s outside counsel also typically draft and refine a three-party agreement in advance to ensure an IR provider works at the direction of outside counsel during the breach to protect attorney-client privilege, according to Burn.
“All of this greatly increases the efficacy of the provider during a breach,” she says.
The benefits of an IR retainer
Cybersecurity leaders face a global talent shortage, says Candrick. Simply put, there isn’t enough qualified cybersecurity talent to fill current demand.
“Therefore, incident response retainers are one way to quickly augment the in-house cybersecurity team or outsourced managed security service provider when advanced capabilities and additional headcount is needed during a severe or complex incident,” he says.
In addition, cyber insurance policies typically require a cybersecurity incident response retainer, among other requirements. So, organizations that are looking for cyber insurance policies or already have such policies in place will likely need to have a retainer to comply with those policies, according to Candrick. In fact, many insurers maintain their own panels of preferred retainer services, breach coaches, and other services.
Additionally, incident response retainers enable companies to better manage costs, says Javier Dominguez, CISO at Commvault, a provider of enterprise data protection software.
“You gain the benefit from having a pre-negotiated hourly rate and allocated budget should you need to exercise the retainer,” he says. “Not having [an incident response retainer] will place you at a disadvantage to negotiate and budget appropriately.”
What is included in an IR retainer?
According to Kayne McGladrey, IEEE senior member and field CISO at Hyperproof, a provider of automated performance management software, an incident response retainer typically consists of the following elements:
- A comprehensive strategy for incident response that decreases the likelihood and financial impact of a data breach.
- Round-the-clock access to experts in incident response.
- Established communication channels and response playbooks to expedite recovery.
- Plan development and testing for managing incidents, along with creating a playbook.
- Support for remediation, crisis management, and communication after a breach occurs.
- Forensic tools for quickly addressing and reducing the impact of specific cyber threats.
- Training programs to boost an organization’s ability to detect and prioritize threats and minimize the time an attacker remains undetected.
Should companies buy or build incident response capabilities?
There are many operating models in this space, says Bryan Willett, CISO at Lexmark. “An organization could decide to completely outsource their entire security practice and incident response would be included,” he says.
“Or a company may deem that it is important for them to own the responsibility of managing cybersecurity risk within their organization. In this case, they will need to assess their response maturity and augment appropriately.”
There are only a few organizations in the world with all the expertise necessary to respond to a significant cyber incident, Willett adds. Even so, it is important for them to consider the potential legal liability associated with any incident and bring in third parties to collect the appropriate evidence in the event there is litigation surrounding an event.
“When considering this, it is important to work closely with your legal team and cyber insurance carrier to ensure that you’re taking the right steps to satisfy your insurance carrier’s claim requirements,” he says.
Should small or large companies get an incident response retainer?
Determining whether an organization should build or buy incident response capabilities depends on the company, as small organizations most likely won’t have the budget and headcount that would allow them to retain skilled incident response experts on staff, says Brandon Leiker, principal solutions architect, security at 11:11 Systems, a managed infrastructure solutions provider.
Additionally, they likely wouldn’t have situations occurring frequently enough to allow incident response experts to maintain their skill sets.
Larger organizations, however, may have the budgets and employees to allow them to retain incident response experts on staff, according to Leiker. They may also have the frequency of cyber incidents that would allow for employees with those skills to maintain and continue to hone their abilities.
Those internal employees would likely be able to appropriately address small to medium cyber incidents, but they still may need additional assistance to handle very large and serious cyber incidents, he says.
“[However], Incident response retainers can be a vital part of your organization’s incident response strategy regardless of whether you’re a small organization without the resources to build out incident response capabilities internally or a large organization that needs to augment its incident response capabilities,” Leiker says.