With cyberattacks consistently on the rise, companies must be able to respond and act quickly on all threats to reduce the risks and minimize reputational damages and legal consequences.\n\nDamage often snowballs due to the delays and mistakes organizations make handling these cyber incidents. That's because the employees who respond to cyber incidents typically only do so when necessary.\n\nHowever, cyber incidents should ideally be responded to by experts who devote 100% of their time to the endeavor. To bridge security gaps, many organizations hire external providers that offer incident response retainer services rather than retain their own internal incident response teams.\n\nWhat is an incident response retainer?\n\nAn incident response (IR) retainer is a fee paid by a company to an external vendor who agrees to be available in the event of a cybersecurity incident, says Will Sweeney, founder and manager partner of Zaviant Consulting.\n\n\u201cThis is a surface-level agreement so that when an incident occurs the company will be prepared to help you deal with the incident and prevent it from spreading or getting worse and turning into a larger problem,\u201d he says.\n\nSuch an agreement between an organization and an incident response service provider sets up the parameters in which the two will work together, says Jess Burn, principal analyst at Forrester Research Inc.\n\nA retainer locks in a specific response time when a breach is declared by the organization and it contacts the service provider. This often includes a set amount of time the IR provider will spend on digital forensics and incident response activities during a breach at a set hourly rate, Burn says.\n\n\u201cOften this rate is pre-negotiated between an IR provider and the organization\u2019s cyber insurance carrier,\u201d she says. \u201cCompanies with cyber insurance policies typically pick an IR service provider from a panel of providers approved by their carriers.\u201d\n\nHours spent responding to an incident that go over the amount included in the retainer may be at a different rate than what the company paid upfront, but this is often also negotiated between the insurance carrier and the IR provider, according to Burn. Unused hours often carry over for a period to the next contract year and can be used for other services, such as incident readiness exercises. \n\nWhy do businesses need IR retainers?\n\nCyber incidents are a matter of when, not if, says William Candrick, director analyst at Gartner. While companies can manage and reduce cyber risks, they can\u2019t prevent cyber incidents outright. Therefore, all organizations must have incident response capabilities.\n\n\u201cMost organizations either maintain their own computer security incident response teams and security operations centers or they outsource these capabilities; however, many organizations find that they need additional expertise, capacity, and capabilities on-call during a severe or complex incident,\u201d Candrick says.\n\nEffective management of a cyber incident hinges on three main factors: having qualified professionals, well-defined operational processes, and appropriate technologies in place when the incident occurs, says Shmulik Yehezkel, chief critical cyber operations officer at CYE, a cybersecurity startup in Tel Aviv.\n\n\u201cWithout an incident response retainer service contract, complications arise,\u201d he says. \u201cFinding a proficient IR team on short notice can be challenging, and even if these experts are available, they may not possess the specific knowledge required for the incident at hand.\u201d\n\nIR retainers can address unique needs\n\nIn addition, each organization has its unique processes and assets, meaning it will take some time for IR teams to become familiar with operational complexities, which could lead to potential errors, Yehezkel says. And since IR teams rely on a variety of technological tools, they may encounter obstacles when they deploy these tools because of such factors as network architecture or existing security measures.\n\nAs such, businesses need to select their IR providers \u2014 from their carriers\u2019 panels if they\u2019re insured \u2014 as soon as possible, according to Burn.\n\n\u201cDon\u2019t wait until you\u2019re under attack to select one,\u201d she says. \u201cThe benefit of a retainer is the onboarding process with the IR service provider. Often this provider holds several intake sessions to get to know the organization's environment (are they cloud, on-prem, or hybrid, for example), their security tech stack, and the skills and competencies of the organization's internal security team.\u201d\n\nThe IR provider, the company, and the company\u2019s outside counsel also typically draft and refine a three-party agreement in advance to ensure an IR provider works at the direction of outside counsel during the breach to protect attorney-client privilege, according to Burn.\n\n\u201cAll of this greatly increases the efficacy of the provider during a breach,\u201d she says.\n\nThe benefits of an IR retainer\n\nCybersecurity leaders face a global talent shortage, says Candrick. Simply put, there isn't enough qualified cybersecurity talent to fill current demand.\n\n\u201cTherefore, incident response retainers are one way to quickly augment the in-house cybersecurity team or outsourced managed security service provider when advanced capabilities and additional headcount is needed during a severe or complex incident,\u201d he says.\n\nIn addition, cyber insurance policies typically require a cybersecurity incident response retainer, among other requirements. So, organizations that are looking for cyber insurance policies or already have such policies in place will likely need to have a retainer to comply with those policies, according to Candrick. In fact, many insurers maintain their own panels of preferred retainer services, breach coaches, and other services.\n\nAdditionally, incident response retainers enable companies to better manage costs, says Javier Dominguez, CISO at Commvault, a provider of enterprise data protection software.\n\n\u201cYou gain the benefit from having a pre-negotiated hourly rate and allocated budget should you need to exercise the retainer,\u201d he says. "Not having [an incident response retainer] will place you at a disadvantage to negotiate and budget appropriately.\u201d\n\nWhat is included in an IR retainer?\n\nAccording to Kayne McGladrey, IEEE senior member and field CISO at Hyperproof, a provider of automated performance management software, an incident response retainer typically consists of the following elements:\n\nShould companies buy or build incident response capabilities?\n\nThere are many operating models in this space, says Bryan Willett, CISO at Lexmark. \u201cAn organization could decide to completely outsource their entire security practice and incident response would be included,\u201d he says.\n\n\u201cOr a company may deem that it is important for them to own the responsibility of managing cybersecurity risk within their organization. In this case, they will need to assess their response maturity and augment appropriately.\u201d\n\nThere are only a few organizations in the world with all the expertise necessary to respond to a significant cyber incident, Willett adds. Even so, it is important for them to consider the potential legal liability associated with any incident and bring in third parties to collect the appropriate evidence in the event there is litigation surrounding an event.\n\n\u201cWhen considering this, it is important to work closely with your legal team and cyber insurance carrier to ensure that you're taking the right steps to satisfy your insurance carrier's claim requirements," he says.\n\nShould small or large companies get an incident response retainer?\n\nDetermining whether an organization should build or buy incident response capabilities depends on the company, as small organizations most likely won\u2019t have the budget and headcount that would allow them to retain skilled incident response experts on staff, says Brandon Leiker, principal solutions architect, security at 11:11 Systems, a managed infrastructure solutions provider.\n\nAdditionally, they\u00a0likely wouldn\u2019t\u00a0have situations occurring\u00a0frequently\u00a0enough\u00a0to allow incident response experts\u00a0to\u00a0maintain\u00a0their skill sets.\n\nLarger organizations, however, may have the budgets and employees to allow them to retain incident response experts on staff, according to Leiker. They may also have the frequency of cyber incidents that would allow for employees with those skills to maintain and continue to hone their abilities.\n\nThose internal employees would likely be able to appropriately address small to medium cyber incidents, but they still may need additional assistance to handle very large and serious cyber incidents, he says.\n\n\u201c[However], Incident response retainers can be a vital part of your organization\u2019s incident response strategy regardless of whether you\u2019re a small organization without the resources to build out incident response capabilities internally or a large organization that needs to augment its incident response capabilities,\u201d Leiker says.