Building Cyber Resiliency

By Claudia Rast, Shareholder, Chair of IP, Cybersecurity & Emerging Technology Group

BUILDING CYBER RESILIENCY:

Preparing for the Cyber Incident Before it Happens

Cybersecurity articles and webinars are quick to advise on what to do when the cyber incident happens. While this advice is extremely helpful, my recent focus has been to advocate the steps one can take in advance of the cyber incident. This is particularly true for small and emerging companies as well as middle-market companies that don’t have the multi-million-dollar budgets to implement the security tools and hire the forensically trained IT staff to stave off the daily onslaughts from threat actors and nation states that intend to do us harm. In other words, short of implementing the typical cyber defenses that these high-end budgets can afford, what should companies do? My simple response is this: build resiliency into your everyday network and employee training, prepare for the event as if it will happen, and never assume that you’re done. This is not a one and done world, and no IT defense is perfect as long as humans are involved.

Building Resiliency

So, how does a company build that resiliency? There are three basic steps: (1) create the Incident Response Plan (IRP), (2) recruit the Incident Response (IR) team, and (3) implement robust and comprehensive training that includes full-scale tabletop exercises. In my experience, it is the rare client who appears with its IRP in hand and IR team in the wings. Most clients need immediate help and advice, and hours, if not days, can be wasted in the aftermath of a cyber incident with the client wondering if its insurance policy will cover the event, and if so, what will it cover, whether its policy requires paneled experts (and if not, where does one find those experts), what laws apply, who needs notification, and more. When properly prepared and used, IRPs are well worth the time and energy it takes to prepare them because most of these questions will be answered as the IRP is drafted. IRPs become valuable roadmaps for navigating the early chaotic hours of a cyber incident. In addition, and as noted above, IRPs are extremely useful tools during the process of their preparation, for as the initial IR team drafts the IRP, they must identify, connect with, and gain buy-in from their internal and external IR teams and familiarize themselves with the function and interconnection of the entity’s basic digital infrastructure. The IRP and IR team are critical to the entity’s successful response and recovery from a cyber incident. The real trick is to ensure that the IRP does not languish on the company server, and the internal IR team does not forget its training. The IRP should be readably available in hard copy and tucked into the laptop case or backpack of every internal IR team member, and training that includes expansive tabletop drills engaging all members of the IR team should be an annual exercise.

Retain External IR Experts

Whether your IT staff is internal or external, unless their day job involves digital forensics and cybersecurity, you should engage specialized and experienced third parties to assist with incident response, and the same goes for your legal team. Necessary decisions in the early days of the cyber incident have far-reaching legal ramifications: a cyber incident is not an event for the legal novice to gain on-the-job experience without guidance. Experts in forensics, law, and public relations are the main external partners of the IR team, and their skill and experience are invaluable. Cyber insurance policies will generally list paneled legal and forensic teams, but it is the rare insurer that will refuse qualified experts as long as they agree to the insurer’s panel rates. Once vetted and engaged, these external IR team members can conduct periodic vulnerability assessments and be active participants in your

IBUTZEL\999999999\150N\200045125.v1-1/29/25

tabletop exercises with internal IR members. Contact your insurance broker to confirm pre-approval of these external IR team members.

Access FBI & CISA Resources

The Cybersecurity & Infrastructure Security Agency (CISA) is a federal agency that offers free tools and templates for incident response, such as cyber hygiene services that include vulnerability scanning and web application scanning. Check out the link here:https://www.cisa.gov/resources-tools/resources/free-cybersecurity-services-and-tools. CISA also offers a wide variety of tabletop exercise packages for download: https://www.cisa.gov/resources-tools/services/cisa-tabletop-exercise-packages.

The FBI is another helpful partner when the cyber incident occurs. The Office of Private Sector oversees the Bureau’s effort to increase collaboration and information sharing with the private sector. Check out this link describing how the FBI works with businesses:https://www.fbi.gov/how-we-can-help-you/office-of-private-sector. Building relationships with the FBI and/or CISA agents in advance of an event allows sufficient familiarity for all to be ready, willing, and able to work together when the inevitable incident happens.

Final Thoughts

Perhaps the most important message is the realization that you are never “all set;” the measures you implement, the tools you deploy, and the training you roll out must be subjected to continuous scrutiny and updating. Everyone from the C-Suite to the storeroom must participate in—successfully—cyber scenario training. Every person in your company represents a potential pathway for threat actors to find and exploit. In sum, draft your IRP, recruit and assemble internal and external IR members, and conduct periodic tabletop exercises. These measures create the resilience needed to survive a cyber-attack. Entities that actively prepare and train for cyber incidents are those that recover faster, better, and with far less economic loss than those who do not.

IBUTZEL\999999999\150N\200045125.v1-1/29/25