Do You Really Need an IR Retainer?

When a cyber incident strikes, many businesses call on dedicated Incident Response (IR) firms for help.  

They are anxious and scared and they want the calvary to arrive immediately. But without a pre-arranged retainer agreement, they could find themselves waiting in line behind others facing similar problems. 

IR Retainers are proactive service agreements that guarantee priority access to cybersecurity experts when an incident occurs, typically at a lower cost.  

That means when it hits the fan, those with a retainer are first in line. 

Everyone else is considered an “on-demand” client, and they get help on a first come, first serve basis. 

Sometimes the wait is minimal. In a small-scale incident, it could be little more than a minor annoyance. But if you find yourself caught up in a global cyberattack, you could find yourself waiting awhile without a retainer agreement. 

Dollars and common sense 

As important as they are, IR retainers do represent a significant investment. However, you may be surprised to learn the total financial cost of a proactive agreement is often less than on-demand services. 

And this is before you consider the potential backend savings from having a pre-established relationship with an IR team.  

In a real crisis, valuable time is expended trying to identify and onboard an IR team, all while an active breach is unfolding. The longer this attack remains uncontained, the greater the damage.  

Worst case, this leads to higher recovery costs, greater reputational harm, bigger regulatory fines and more lost revenue. 

Here’s a real-world example. A mid-sized financial firm (name withheld for obvious reasons) recently suffered a ransomware attack on a Friday evening. They didn’t have an IR retainer, so valuable time was wasted searching for an available cybersecurity firm. 

By the time they found one that could be engaged, their entire network was encrypted. The attackers demanded a 7-figure ransom, and many of the artifacts needed for the investigation had already disappeared. They had few ways left to determine what had occurred during the attack. Had this firm had an IR retainer in place, response experts could have worked to contain the attack over the weekend and spent Monday restoring critical systems instead of reading ransom notes. 

As you can see, the risk of waiting until an incident occurs can be far higher than the cost of being ready. Plus, you can account for the cost of your IR retainer in a budget.  

Personally, I’ve never met a client who was financially devastated by their predictable IR retainer; but I have met plenty who were stung by unexpected IR fees after a sneaky ransomware attack. 

Rising above reactive 

The emergencies hog all the headlines, but good IR retainers don’t just cover an active crisis, they help you prepare for the day an attack inevitably takes place. 

These preparations often include security “gap” assessments to find potential vulnerabilities before they become major problems, and regular meetings to discuss potential threats on the horizon. 

These proactive measures are underrated tools in the IR playbook. In fact, they are some of the most powerful steps you can take to strengthen your defenses and reduce your risk level. 

Moreover, many IR retainers allow unused hours to be converted into these types of proactive cybersecurity services, creating 24/7 value outside the emergency window. 

IR retainers vs cyber insurance policies. 

Cyber insurance is a great investment. Sometimes these policies even include some form of incident response. 

Unfortunately, some companies assume these services are the same as an IR retainer agreement. In reality, this is rarely the case. 

At the very least, cyber insurance providers will need time to assess a claim and engage their chosen IR firm. This can lead to costly delays, and while insurance will likely cover the immediate financial loss, no cyber policy can recoup the reputational or regulatory harm that comes with an uncontained data breach. 

Bottom line, IR retainer services help contain the damage and cyber insurance helps recoup the loss. Both are important, and they often work best when they are employed together. 

So, who REALLY needs an IR Retainer? 

Those of us who work in incident response are fond of saying it’s not a matter of “if” a cyber incident will strike your business, it’s simply a matter of “when.”  So, in a perfect world everyone would have a full IR team on standby.  

But we don’t live in a perfect world, which means your IR strategy will ultimately be determined by a variety of variables, including budget, business size, risk level, regulatory requirements and many more.  

That said, for some companies, doing business without an IR retainer borders on reckless. This includes organizations storing sensitive data (financial records, intellectual property, patient information etc.) or businesses in heavily regulated industries such as healthcare, finance and government operations. 

These businesses often have a duty to protect the data they collect, and data breaches can come with serious legal, financial and regulatory consequences. 

For everyone else, it’s “work at your own risk.” So, if you’re unsure whether your business really needs an IR retainer, I recommend asking yourself these four questions: 

1. Do we have cybersecurity experts on call in case of a breach? 

2. How quickly could we respond if a ransomware attack hit today? 

3. Could we afford to wait several days for third-party incident response assistance? 

4. When was the last time we tested our overall incident response plan? 

If you find yourself concerned by any of these answers, it could be time to take charge—before the next attack takes charge of you. 

 

Learn more about Inversion6’s IR services: https://inversion6.com/services/incident-response