Why an IR Retainer Beats an Insurance-Only Response

When you invoke your cyber insurance IR coverage, you're typically assigned to one of several panel providers. Think of them as in-network doctors for cybersecurity incidents. Sounds good on paper, until you realize what that actually means in practice. 

"Often these folks come in with no idea who this company is," Brescic said. "Some of the good ones might take you through a one-to-two-hour verbal interrogation. What do you have in place? What have you used? What kind of firewalls do you have? Send us over your logs. But the not-so-good ones might just grab some common open-source tools and just ask permission to launch it onto your network." 

"If you have to bring in a new provider, you’re also going to have to sign contracts with them,” added Tyler Hudak, Director of Incident Response at Inversion6. “In my experience, that takes at least a day. I've seen it take up to two to three days, and most IR teams won't start working or fully working until those contracts are signed." 

Bottom line, you’re burning time; and during an active breach, time is worth its weight in gold. That’s because every minute you waste is a minute your attacker can use to move laterally, exfiltrate data, or establish persistence. 

Compare that to working with a dedicated IR provider who already knows your environment. 

“If a client has an IR retainer contract with us, or if they’re already working with our SOC or one our CISO advisors—we already have a leg up," said Brescic. "Within 15 to 20 minutes, Tyler’s team can be up to speed, and they can get to work.” 

Here’s another fundamental difference between cyber insurance IR and a dedicated provider that often gets overlooked: what happens after the incident. 

With insurance-based IR, the relationship ends when the incident does. You get help for that one event, then the team moves on. 

"With the panel providers, typically you're only hiring them for that one incident," Hudak said. "When you have an active IR retainer with a provider like Inversion6, you have us for a longer period of time. We can work a single incident or 100 incidents.” 

Even if you have cyber insurance, you can also call your dedicated provider for help with smaller issues that wouldn't justify invoking your policy—a single email compromise, malware on a system or even just threat intelligence briefings on emerging risks.   

"We often become a sort of ‘phone a friend’ because you’re not realistically going to call in your insurance for every single incident you have," added Hudak. "That's just not financially viable. But you can call us for the small things. We can jump on phone calls and discuss new potential threats.” 

Here's another issue that doesn't get discussed enough: what happens when your insurance IR team shows up with their own toolset. 

"We are vendor agnostic," Hudak said. "So we're not going to come in and require the client to install our version of EDR everywhere. If we need to do that, we can, but if the client already has visibility, we're going to use everything that the client has." 

That matters more than you might think. If a panel provider requires you to deploy their EDR across your environment before they can start working, you're looking at another day or two of delay—and that's assuming a smooth rollout. 

There's one more element worth considering: the caliber of the team responding to your incident. 

"Maybe we don’t say this enough,” said Brescic. “Inversion6 has an elite forensics and incident response team," Brescic said. "You have to understand when you’re talking to Tyler, you are talking to the guy who's been teaching everybody else around you for the last 10, 15 years at conferences.” 

Hudak also speaks highly of his CISO colleagues at Inverstion6. 

“Damir and the other CISOs have years of experience running incidents,” he said. “They’ve seen a lot of things – both good and bad – happen during incidents and know how to react. That experience, when combined with the client relationship, is powerful.” 

When you're assigned to a panel provider, you're getting whoever's available. When you have a dedicated IR retainer with a proven team, you know exactly who's showing up—and you know they're bringing a level of expertise that's been validated across hundreds of incidents. 

In cybersecurity, minutes matter. So does choosing the right Incident Response partner.