Byte of Prevention Blog

by Jay Reeves |

The 4 Elements of a Cyber Incident Response Plan

Does your law firm have a Cybersecurity Incident Response Plan?

If not, how will you know what to do – and who to call – in the event of a cyber attack?

“If you have no IRP, you are asking for a catastrophe – and one likely to make the headlines,” according to this post at Above the Law. “Roll up your sleeves and get to work creating one. Then do regular tabletop exercises on the IRP, adding and subtracting issues (electric grid compromised, managing partner inaccessible on a safari, etc.). Make sure the IRP is accessible during a disaster – we saw one data breach where the IRP was only in electronic form and it got encrypted with all the other data by a ransomware attack. ‘Whoopsie-Daisy’ doesn’t quite cover the extent of that debacle.”

Overall, one in three law firms has a formal Cybersecurity Incident Response Plan (CSIRP). Eighty percent of large firms (100 or more lawyers) have one.

“A Cybersecurity Incident Response Plan is a document that gives IT and cybersecurity professionals instructions on how to respond to a serious security incident, such as a data breach, data leak, ransomware attack, or loss of sensitive information,” according to the cybersecurity compliance website Hyperproof. “Not having a detailed CSIRP in place will hurt you in a couple of different ways when you’re hit with a breach.”

Keep reading to learn the four indispensable elements of an effective CSIRP, according to the National Institute of Standards and Technology (NIST).

Are you aware of the resources and services available at Lawyers Mutual Consulting & Services? Founded by Camille Stell, who also serves as president, LMCS is a subsidiary of Lawyers Mutual. Its mission is to help firms build a modern law practice. It does that by offering expert advice and assistance into law firm trends and best practices. Camille and LMCS helps lawyers and firms create strategic plans and succession plans. A popular speaker and writer, Camille loves to guide lawyers through succession planning and into Life after Law. Contact her today.


Four Elements of a Cybersecurity Incident Response Plan

#1 Preparation

“Your plan needs to detail who is on the incident response team—along with their contact information and what their role is, and when members of the team need to be contacted,” says Hyperproof. “Each member of this team, from the CEO to the members of the IT team, needs to understand their place on the team and what they need to do in the event of a breach. They also need to recall the details within your CSIRP so that when a security incident happens, they can respond quickly.”


#2 Detection and Analysis

“Security incidents can originate from many different sources and it’s not practical, or even possible, to create a plan to respond to every type of security incident possible,” per Hyperproof.” “The NIST provides a list of some of the more common methods of attack that you can use as a starting point as you determine what steps to take in the event of a security event. You should also consider what vulnerabilities your company has and how likely an attack on one of those vulnerabilities is, and include those in your planning.”


#3 Containment

Here is the criteria NSIT says you should consider when developing your containment strategy:

  • Potential damage to and theft of resources
  • Need for evidence preservation
  • Service availability (e.g., network connectivity, services provided to external parties)
  • Time and resources needed to implement the strategy
  • Effectiveness of the strategy (e.g., partial containment, full containment) 
  • Duration of the solution (e.g., emergency workaround to be removed in four hours, temporary workaround to be removed in two weeks, permanent solution)


#4 Post-Incident Actions

“After the incident has been stopped, security updates have been made, and your organization is back on track, your organization should take some time to debrief,” recommends Hyperproof. “Reflect on what has happened and talk about how you can identify similar incidents in the future and stop them sooner. Assess the severity and damage. Revisit your CSIRP and ask yourself and your team if there was anything that would have made the plan more effective.

Begin the notification process.”


Sources: How to Create a Cybersecurity Incident Response Plan - Hyperproof

Your Law Firm Has Been Breached: Who Are You Going To Call? - Above the Law


Lawyers Mutual is on your side as you adjust to practicing law post-COVID. Our email newsletter “Practice Reimagined” offers timely tips, pointers and valuable links on wellness, work-life balance and quality of life – delivered straight to your in-box. Lawyers helping lawyers. It’s what we’ve been doing more than 40 years.


About the Author

Jay Reeves

Jay Reeves practiced law in North Carolina and South Carolina. He was Legal Editor at Lawyers Weekly and Risk Manager at Lawyers Mutual. He is the author of The Most Powerful Attorney in the World, a collection of short stories from a law life well-lived, which as the seasons pass becomes less about law and liability and more about loss, love, longing, laughter and life's lasting luminescence.

Read More by Jay >

Related Posts