Skip to main content

Visit our Hurricane Resource Center to prepare, protect, and recover from a storm. We're here to help.

August 23, 2022

Cyber incident response road map

Put Content Author Name here

The following are frequently recommended steps upon suspected or determined unauthorized access or use of your computer network. This includes potential theft, loss, or unauthorized access/use of sensitive, personally-identifiable information or third party corporate information in your care, custody, or control.

A successful response involves prompt coordination of resources and the actions below can help business leaders plan ahead and strengthen their response and recovery efforts. 

1. Recognize the potential or confirmed cyber incident. 
Mobilize your internal incident response team to gather facts to establish what happened and when it was discovered. This includes finding which systems and devices are affected and what kind of data may be impacted.

2. Notify external partners (e.g., broker, carrier, or outside counsel). 
With the developing facts, contact MMA to assist in helping you notify the affected parties. Each situation is unique and can occur at all hours of the day. You may want to consider directly notifying your cyber carrier immediately using the 24/7 hotline or email.

Be mindful of utilizing electronic communications such as email if a suspected system compromise is suspected. Avoid sending copies of your policy internally or externally.

Contact a member of your carrier’s pre-approved privacy counsel with a focus on carrier consent and attorney-client privilege throughout the investigation. Coverage can be impacted if vendors are not pre-approved by the carrier and most have panel vendor requirements.  

3. Seek forensics assistance if necessary. 
Counsel will assist you in determining whether an external forensic firm will be needed to support your internal investigation. This will likely require approval by your carrier of the specific scope of work necessary to determine the existence, cause, and impact of the incident. This is because the data involved in the incident that will be reviewed is likely highly sensitive.  

4. Conduct initial scoping calls and foster carrier involvement. 
Consistent communications with the carrier representative establishes a good working relationship. Keep lines of communication open and foster collaborative investigation and response efforts. Common topics such as pre-approval of the specific forensics scope of work necessary for the investigation and self-insured retention erosion should be a top priority. MMA will continue to support you throughout the process. 

Other vendor considerations
In the event security breach notice law(s) require direct compliance including notification to individuals or regulatory agencies. Additional vendors may be needed to support the process and carriers often require pre-consent for vendors and public relations/crisis communication firms.

It is strongly recommended you use carrier approved incident response firms to help streamline the process and to minimize the chance of having expenses that are not covered by your policy. Please reach out to your Marsh McLennan Agency contact to report a suspected or actual cyber incident and we can help you through these steps.

This document is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. Marsh McLennan Agency LLC shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. Any statements concerning actuarial, tax, accounting or legal matters are based solely on our experience as consultants and are not to be relied upon as actuarial, accounting, tax or legal advice, for which you should consult your own professional advisors. Any modeling analytics or projections are subject to inherent uncertainty and the analysis could be materially affected if any underlying assumptions, conditions, information or factors are inaccurate or incomplete or should change. Copyright © 2022 Marsh McLennan Insurance Agency LLC. All rights reserved. CA Insurance Lic: 0H18131. MarshMMA.com