Attention June 12th, 2024 Webinar Attendees, please click here to complete our Survey or Attendance Verification and Credit Request Form. (required for CLE credit)

Important! June 12th, 2024 Webinar Attendees, please click here to complete our Survey or Verification Request Form.

Click Here

How to Prepare a Cyber Incident Response Plan for Your Firm

Last update





Print Friendly, PDF & Email
Here's where to start.

If you need to prepare a Cybersecurity Incident Response Plan for your law office but don’t know where to start, you’ve come to the right place.

The National Institute of Standards and Technology (NIST) offers a wealth of resources – including an outline of the four essential phases of an incident response plan – free on its website.

“It is important to recognize that preparatory activities and post-incident activities are equally important,” says the NIST. “In fact, NIST emphasizes both types of activities in their outline. The key to an effective cybersecurity incident response plan (CSIRP) is to have one in place well before a breach occurs.”

Download the NIST’s official Computer Security Incident Handling Guide.

Below is a blueprint from NIST for creating a Cyber Incident Response Plan.

Why choose Alta Pro Lawyers Risk Purchasing Group over other legal malpractice programs? Because Alta Pro RPG gives insured law firms exclusive access to valuable practice resources and cost-saving programs. When you join the Alta Pro RPG, you can use our Pro Practice Resource Center, filled with practical pointers and risk management tools to keep your law firm safe and soaring. Plus you get exclusive access to free CLE webinars, like our recent, highly popular program on Basics of Cannabis Law. Also: discounts on office essentials, Ask the Risk Pro, malpractice defense hotline and more. Don’t miss out on these fantastic perks. If you’re already a policyholder with Alta Pro but haven’t yet created your RPG account, here’s how to do it.

NIST Four Phases of An Incident Response Plan

The following is from the NIST website:

Phase One: Preparation. “Your plan needs to detail who is on the incident response team—along with their contact information and what their role is, and when members of the team need to be contacted. Each member of this team, from the CEO to the members of the IT team, needs to understand their place on the team and what they need to do in the event of a breach. They also need to recall the details within your CSIRP so that when a security incident happens, they can respond quickly.”

Phase Two: Detection and analysis. “[This phase] is triggered when an incident has just occurred and your organization needs to determine how to respond to it. Security incidents can originate from many different sources and it’s not practical, or even possible, to create a plan to respond to every type of security incident possible. The NIST provides a list of some of the more common methods of attack that you can use as a starting point as you determine what steps to take in the event of a security event.”

Phase Three: Containment, eradication, and recovery. “This phase is the heart of your CSIRP. Everything you do in response to an attack will revolve around containing the incident, eradicating the threat, and recovering from the attack.” Here are some NIST criteria for devising a containment strategy: potential damage to and theft of resources; need for evidence preservation; service availability (e.g., network connectivity, services provided to external parties); time and resources needed to implement the strategy; effectiveness of the strategy (e.g., partial containment, full containment); duration of the solution (e.g., an emergency workaround to be removed in four hours, a temporary workaround to be removed in two weeks, permanent solution). Eradication and recovery can take days, weeks, or months depending on the size of the breach. The NIST advocates for a phased approach, with the early phases increasing your overall security as quickly as possible and later phases focused on long-term changes and ongoing work to keep your organization safe.”

Phase Four: Notification. “Depending on what kind of information was affected, you may also need to notify certain parties such as law enforcement, the FTC, your customers, affected businesses, and others. You need to work with your legal and compliance teams to make sure you understand who needs to be notified and have a plan in place for notifying.”

Post-incident wrap-up. “After the incident has been stopped, security updates have been made, and your organization is back on track, your organization should take some time to debrief from the incident. Reflect on what has happened and talk about how you can identify similar incidents in the future and stop them sooner. Assess the severity and damage.”

Source: How to Create a Cybersecurity Incident Response Plan – Hyperproof

Do you practice in Wisconsin, Texas, Minnesota, Ohio, Illinois, Indiana or Michigan? Is your professional liability coverage managed through Alta Pro? If so, you’re automatically a member of the Alta Pro Risk Purchasing Group (RPG), which offers a wealth of benefits for your practice: free, cutting-edge CLE webinars featuring top experts tackling timely topics; the Pro Practice Playbook; the Pro Practice Blog; Reminger’s ProLink risk management assistance; Reminger’s Claim Repair Hotline; discounts on CLIO practice management software; tax savings on health insurance; and access to the Risk Pro, who can help keep your firm safe and successful. Register here and start enjoying your Alta Pro RPG benefits.


Print Friendly, PDF & Email

Related Posts on!

Alta Pro Logo Icon

About the Editorial Staff

In an age of consolidation where increasingly impersonal transactions have made customer service an oxymoron, we bring together independent agents, insurance companies, and other industry specific service providers to develop and deliver insurance products and risk management solutions that benefit our insurance customers.

Join Our Newsletter

Occasional newsletters and CLE invites

Find Us on Social

Upcoming CLE Webinar: Cybersecurity for Attorneys: Employing Competent and Reasonable Safeguards

June 12, 2024 1:00 pm EST
CLE Credit: 1.0 Ethics

David G. Ries

Clark Hill


Latest Videos

1 Hour

Essential Business Skills for Busy Lawyers Part 1 – Communicate Like A Pro

1 Hour

Creating an Attorney Compensation Plan That Will Build Firm Culture and Attract Top Talent

1 Hour

Four “Ds” of Client Relations: Dabbling, Documentation, Difficult Clients, Don’t Do it!

Need Help?

Visit our Frequently Asked Questions page. 

Or email us directly at

Or submit your issue in the comment form below and we will respond as soon as possible.