Plan it. Rehearse it: Respond with Confidence!

Imagine waking up to no email, a stalled warehouse system, or a call centre without customer records. That’s a common experience after a cyber incident. How your organisation responds in the first few hours will affect your customers, your finances, your reputation, your people — and how regulators view you.

If you think it won’t be you, consider this: Some cyber-attacks are targeted, but many are opportunistic and cut across sectors and sizes, including not-for-profits and small enterprises. Outsourcing technology doesn’t remove the risk—your supplier can be the cause of the outage, and without a joint plan you will largely depend on their timeline, not your strategic priorities. And while your technology team is essential, they can’t carry the whole response. Business continuity, communications, and regulatory engagement require executive leadership.

It doesn’t take a big project to develop a tailored plan that makes you organization more resilient. Start with what you already have, for example crisis procedures or a plan ensuring business continuity. Connect with your suppliers; they will bring useful know-how. Involve representatives from across your business[1].  You are likely to learn about clever workarounds and fallback methods that already exist but aren’t written down. Pulling these into one simple plan makes those first hours far easier. A business focussed response plan will give your team the confidence to align the immediate response with your strategic goals and risk preferences.

What you want is a cyber incident response plan that covers all parts of your business. It should provide guidance on:

• Roles and authority: Who convenes the first assessment? Who can disconnect systems or pause a supplier connection? Who is the incident leader? Pre-approved decision rights prevent hesitation when minutes matter.

• Communications and partnering: Who must be informed and when? If primary communication channels fail, what are the alternatives? How will you align messaging with suppliers, so customers, staff, and partners hear a coherent, confidence-building story?

• Strategic alignment: Which services, products, and processes are restored first? Your criticality assessment should be aligned with your mission, strategy and your risk appetite [2]. If your purpose is helping people in distress, define the minimum viable operations to keep doing so. If you ship perishable goods, plan how to produce and dispatch to avoid loss.

• Board support and decisions: How will the board support the executive team? Establish an escalation route (may be to a dedicated committee?) during incident response. Be ready to guide on external communications and facilitate regulator engagement. Approve budgets for surge capacity and additional expertise when needed.

Make the plan easy to reach — printed copies and a digital copy in multiple systems. Share them widely with the people who will use them. Revisit the plan each quarter to reflect changes in your organisation, the technology you are using and your team.

Beyond the planning, rehearsal is critical. A well-designed table-top exercise will build confidence and strengthen coordination with suppliers. A workshop walk-through to validate that the plan is executable is even more valuable. Rehearsals should involve the board: the board has a role to play, and its visible participation underscores strategic relevance, and lets you test decision pathways.

For boards and executive teams, the goal is not a perfect, encyclopaedic manual or a purely technical runbook. It’s a practical and business-driven response plan. When the worst morning arrives, you won’t scramble — you’ll be responding with confidence.

[1] McKinsey & Company, 2023, How good is your cyber-incident-response plan? https://www.mckinsey.com/capabilities/mckinsey-digital/our-insights/how-good-is-your-cyberincident-response-plan?

[2] National Cyber Security Centre, Cyber Security Toolkit for Boards, Planning your response to cyber incidents, https://www.ncsc.gov.uk/collection/board-toolkit/principle-d-incident-planning-response-recovery/planning-your-response-to-cyber-incidents