Product Family

In the wake of the COVID-19 pandemic, the need for organizations to engage in crisis preparation has never been highlighted so acutely. As organizations have moved to a remote working model - one that may be here to stay - their incident response planning should have adapted to this new reality. This means accounting for the new risks that come with it as well. A major cybersecurity incident represents a true crisis for any organization, and forward-thinking organizations should prepare appropriately.

Multiple frameworks have been developed to guide organizations in this planning, including those put forward by the National Institute of Standards and Technology (NIST), SysAdmin, Audit, Network, Security (SANS) and Community Emergency Response Team (CERT) organizations. However, at their core, these frameworks are similar. We find the NIST framework is particularly easy to engage with and clearly articulates all phases of the incident response cycle. Below is a breakdown of the incident response lifecycle as per the NIST framework.

The Cyber Incident Response Lifecycle


We will use these steps to discuss the incident response lifecycle and demonstrate how preparations made long before an incident occurs, can mean the difference between an organizational disaster and a methodical reaction governing the chaos.


1.1 The fundamentals
In many cases, fortune favors the well-prepared rather than the bold. Invariably, there will come a time where a risk will materialize, and a cyber incident will occur. Preparation is where the foundations of any future response process lie. In this phase, you should adopt a risk-based approach to cybersecurity, by taking the time to:

  • Understand your organization’s technological and business environment;
  • Identify and track threats; and,
  • Document risks to your organization.

Now that you’ve defined your risks and identified your critical assets, you’ll need to implement an actionable plan that empowers your teams to tackle incidents should they occur. A major cyber incident presents a particular challenge. It is typically charged, stressful, and chaotic for the internal teams involved, which typically include several internal and external stakeholders.

The worst time to plan for an incident is in the midst of one. However, an appropriate incident response plan, when regularly drilled and tested, will embed some of the response flow into your team’s muscle-memory. This will allow them to more efficiently bring order to the chaos of any response.

While the specific format of the plan is fungible, it should:

  • Contain an actionable response flow: The reader must be able to follow how a response should proceed chronologically in actionable, concrete steps. The inclusion of a flow chart and checklists can provide clarity and prevent missteps in the heat of an incident.
  • Describe how incidents should be classified: Clear criteria should be included to appropriately classify incidents. Common incident classifications include those that are critical, high, moderate, or low in severity. Not all incidents require the same focus, allocation of resources, or response teams. Low and moderate incidents can often be addressed within the IT teams in operational playbooks, while incidents of higher severities will often require wider skillsets, additional allocation of resources, crisper management, and potentially third-party support.
  • Establish clear communication channels: Incident response plans must clearly lay out what, when, and how information should be escalated by operational teams to other functions and stakeholders. Formal communication enables everyone to stay on the same page and reduces misunderstandings during a response. Small miscommunications can exacerbate an already challenging situation into a full-blown disaster.
  • Assign and describe roles and responsibilities: During an incident, all stakeholders should be aware of their roles and responsibilities. Formalized roles and responsibilities should be clearly outlined in a section of the incident response plan. They should go beyond the core technical team and cover all stakeholders involved in a response. Such stakeholders may include those from legal, marketing, public relations, manufacturing operations, and human resources.
  • Include third parties: These can include local law enforcement or regulatory bodies, insurance providers, external legal counsel such as breach coaches, public relations resources, and cybersecurity forensics firms.
  • Develop more prescriptive playbooks: Identify the most common incidents, or those tied to your critical risks, and define actionable playbooks to guide you operationally through a response related to these risks. These playbooks should contain more prescriptive steps than those found in the main response flow. For example, a major retailer may want to have a playbook for payment information being leaked, and a manufacturer may want to have playbooks covering ransomware scenarios to help ensure minimum downtime.
  • Take into account other planning: Incident response plans rely on and feed into other organizational planning. Relevant IT-focused business continuity and disaster recovery plans, as well as crisis management plans, should be referenced and tied to any incident response plan. Any triggers for activating these plans should be clearly defined and included to allow for a more seamless crisis response integration.

1.2 Awareness
Having a thoughtful response plan is essential, but not practically valuable to an organization unless it is properly socialized among those likely to be involved. The socializing format for incident response plans can vary. For the technical teams, which will be at the core of the response process, a full examination of the plan, multiple Q&A sessions, and scenario-based dry runs are likely warranted. For leadership teams, additional quick-reference material outlining their roles, responsibilities, and expected activities can be invaluable to prepare them for incident response.

1.3 Practice makes perfect (testing)!
Maximum value is derived from the plan by periodically testing it and updating it through continuous improvement. When training has been completed, the plan should be put to the test in some form of tabletop exercise.

For newly developed plans, these can be less intense sessions; for example, walking the plan through a series of scenarios and reviewing it for completeness and flow. In the case of more developed programs, a more intensive exercise can be developed. Here, the response team’s decision making, knowledge, and communication is tested by a series of “injects” which modify the situation as it unfolds. Either approach can be improved by leveraging a third party to design and manage the exercise. The third party can bring additional expertise in terms of scenario realism and free up team members to participate instead of facilitating the session.

Functional testing of technological solutions enabling an efficient response, such as backup restoration, is equally paramount. This can take the form of parallel interruption tests. Here, a second set of infrastructure is set up and tested so as not to interrupt the organization’s day to day operations. In the case of a full interruption test, the organization’s actual infrastructure is tested. Full interruption tests are inherently more disruptive but offer the most actionable feedback on your restoration plans.



2.1 Detection methods
The detection phase uses technical or administrative security controls to detect malicious activity in the environment. Some common activities under this phase are explored below.

  • Network monitoring: Whether this is a foundational control - like maintaining a firewall - or more advanced solutions - like implementing an Intrusion Detection System (IDS) - tracking the activity of devices and users on the network is essential. The rise of behavioral tracking supported by machine learning has made generating impactful alerts from these solutions easier, smarter, and more streamlined than ever before. However, such monitoring has its limitations. Consider the massive shift to work-from-home models in the wake of the COVID-19 pandemic. As a result, many of these network monitoring controls have been hamstrung, as much of the network activity which can generate alerts now takes place beyond the reach of on-premise security solutions.
  • Endpoint monitoring: Traditional anti-virus solutions, as well as more advanced behavioral solutions, can alert you to infections on specific devices. Because they do not rely on the device being present on a corporate network, they can partially close the visibility gap caused by the shift to remote working.
  • Dark web monitoring: Third parties typically provide this service as a breach detection method by monitoring the dark web and other underground marketplaces for stolen corporate information and alerting you if and when it is found. This type of monitoring can be essential because it serves as a last line of defence for detecting an incident before it potentially becomes publicly acknowledged.

There are other controls which can be implemented, and the steps taken during the preparation phase should allow your organization to determine which of these controls should be prioritized.

2.2 Alerting processes
Having the right incident response plan in place in conjunction with a well-trained workforce greatly increases the likelihood that when teams detect malicious activity, they will recognize it, triage it appropriately, and know how to alert the wider organization. In such cases, staff will be able to follow documented processes to determine the incident severity, what teams need to be involved, and what third parties need to be alerted.

For example, alerts from your monitoring services indicating that a ransomware incident is underway can result in panic. However, by having a team well versed in how to implement your response plan you increase the likelihood of that panic being set aside and appropriate action taken. Your organization will only benefit by being able to start working through the problem using steps developed at a calmer time.

Retained third parties like breach coaches or forensics firms can provide additional insight and lessons learned.


As can be seen in the NIST response framework flow above, detection flows into containment, eradication, and recovery, with the implication that each may be repeated multiple times during a given incident. This is intended to acknowledge the reality that, as the response process unfolds, new issues will likely be detected and addressed. 

Let’s consider the same ransomware incident referenced above. In our example, imagine that the initial detection of the infection, containment of its spread, efforts to eradicate the ransomware itself, and recovery from backups, are all in motion. As this is occurring, the forensic investigation could surface that the attacker has ongoing access to other systems, representing a new detection and requiring the process to begin again. Without prior planning, this new thread of response can be lost in the minutiae of actions already underway, leading to missed steps and future headaches. 

Reporting and communication are paramount during this phase. With communication methods and cadence already known and defined in your incident response plan, leadership and other stakeholders can be kept apprised of the situation. This will enable them to make informed decisions, with minimal disruptions to the operational team carrying out the response. 

Post-Incident Activity 

When recovery has been completed across the organization, it can be tempting to simply put the incident behind you. However, doing so will be detrimental to your organization’s growth, as well as your preparedness to tackle similar incidents in the future. Understanding the cause of the incident, reviewing how your program can be improved, and implementing the improvements constitute an essential feedback loop. This feedback loop should be formalized in your incident response plan. 

Retained third parties like breach coaches or forensics firms can provide additional insight and lessons learned. Legal knowledge offered by breach coaches can improve your understanding of the legal environment your organization operates in and allow you to adapt your practices accordingly. Additionally, forensic firms often bring with them a breadth of experience from having responded to incidents across multiple sectors on a daily basis. They are therefore well-placed to provide insight into how your specific incident unfolded, as well as best-practice advice for how to respond going forward. Such insights should be incorporated in any post-mortem exercise to continuously improve your incident response plans, processes, and procedures.


A serious cybersecurity incident can present you with one of the worst days in your professional life. However, with appropriate planning and preparation, your organization will be able to efficiently respond and recover from a major incident. Doing so will go a long way toward minimizing the impact of the incident as much as possible, and be the difference between an organizational disaster and a laudable success story. 

About the authors
Maura Wiese is the Head of the Northeast Region for AXA XL’s Cyber & Technology insurance team. Contact her at Aaron Aanenson is Director of Cyber Security for S-RM. He can be reached at

The information provided to you in this document is confidential and prepared for your sole use. It must not be copied (in whole or in part) or used for any purpose other than to evaluate its contents. No representation or warranty, express or implied, is or will be made and no responsibility or liability is or will be accepted by S-RM, or by any of its respective officers, employees or agents in relation to the accuracy or completeness of this document and any such liability is expressly disclaimed. In particular, but without limitation,no representation or warranty is given as to the reasonableness of suggestions as to future conduct contained in this document. Information herein is provided by S-RM Intelligence and Risk Consulting LLC on our standard terms of business as disclosed to you or as otherwise made available on request. This information is provided to you in good faith to assist you in mitigating risks which could arise. No implied or express warranty against risk, changes in circumstances or other unforeseen events is or can be provided. S-RM Intelligence and Risk Consulting LLC accepts no liability for any loss from relying on information contained in the report. S-RM Intelligence and Risk Consulting LLC is not authorised to provide regulatory advice.
AXA XL is a division of AXA Group providing products and services through three business groups: AXA XL Insurance, AXA XL Reinsurance and AXA XL Risk Consulting. In the US, the AXA XL insurance companies are: AXA Insurance Company, Catlin Insurance Company, Inc., Greenwich Insurance Company, Indian Harbor Insurance Company, XL Insurance America, Inc., XL Specialty Insurance Company and T.H.E. Insurance Company. Not all of the insurers do business in all jurisdictions nor is coverage available in all jurisdictions. Information accurate as of June 2020.
AXA, the AXA and XL logos are trademarks of AXA SA or its affiliates. ©2020










Global Asset Protection Services, LLC, and its affiliates (“AXA XL Risk Consulting”) provides risk assessment reports and other loss prevention services, as requested. This document shall not be construed as indicating the existence or availability under any policy of coverage for any particular type of loss or damage. AXA XL Risk. We specifically disclaim any warranty or representation that compliance with any advice or recommendation in any publication will make a facility or operation safe or healthful, or put it in compliance with any standard, code, law, rule or regulation. Save where expressly agreed in writing, AXA XL Risk Consulting and its related and affiliated companies disclaim all liability for loss or damage suffered by any party arising out of or in connection with this publication, including indirect or consequential loss or damage, howsoever arising. Any party who chooses to rely in any way on the contents of this document does so at their own risk.

US- and Canada-Issued Insurance Policies

In the US, the AXA XL insurance companies are: AXA Insurance Company, Catlin Insurance Company, Inc., Greenwich Insurance Company, Indian Harbor Insurance Company, XL Insurance America, Inc., XL Specialty Insurance Company and T.H.E. Insurance Company. In Canada, coverages are underwritten by XL Specialty Insurance Company - Canadian Branch and AXA Insurance Company - Canadian branch. Coverages may also be underwritten by Lloyd’s Syndicate #2003. Coverages underwritten by Lloyd’s Syndicate #2003 are placed on behalf of the member of Syndicate #2003 by Catlin Canada Inc. Lloyd’s ratings are independent of AXA XL.
US domiciled insurance policies can be written by the following AXA XL surplus lines insurers: XL Catlin Insurance Company UK Limited, Syndicates managed by Catlin Underwriting Agencies Limited and Indian Harbor Insurance Company. Enquires from US residents should be directed to a local insurance agent or broker permitted to write business in the relevant state.