Skip to content.

Preparedness and response planning best practices

This article is part of our Cybersecurity Blog Series, which is intended to provide readers with a 360° view on cybersecurity. To view other blog posts in the series, please visit Cybersecurity Blog Series from McCarthy Tétrault’s Cyber/Data Group

In this article, we discuss 6 key planning points that organisations should consider in light of the ever increasing cyber risks that they face. As a proxy for how seriously organizations are taking cyber risks, the global market for cybersecurity products is expected to grow from USD $152.71 billion in 2018 to USD $248.6 billion by 2023, representing a compound annual growth rate of 10.2%. The landscape has gotten even riskier in recent months. The Canadian Centre for Cybersecurity found that COVID-19 brought more facets of Canadian life online, thus creating new cyber vulnerabilities and increasing the overall risk of cyberattacks. It is therefore of no surprise that three in ten organizations reported seeing a spike in the volume of cyberattacks during the pandemic, according to the Canadian Internet Registration Authority’s 2020 cybersecurity report.

The good news is that even if a data incident occurs, this does not necessarily have to result in a catastrophic outcome. Organizations that respond well to a data incident can significantly reduce the risk of significant harm to their business, their customers, and their employees. Being prepared for a cyber incident is most achievable for organizations that plan in advance for such an eventuality.

1. Be prepared

We recommend that you do not wait until an incident has occurred to start preparing for how your organization should respond. It is important to develop a plan ahead of such an occurrence that includes two general components: (1) the cybersecurity framework; and (2) the cybersecurity incident response plan. The former is proactive and contains a complete set of organizational resources used to assess and mitigate cyber risks. The latter is reactive. It represents an enterprise-wide undertaking that provides a protocol for each layer and moving part of the entity to be diligently followed during and after a data incident. Both components of your plan should be updated as the risk landscape evolves.

2. Test your incident response plan

Once drafted, the incident response plan should not sit in a drawer. We recommend that organizations test their response plans and cybersecurity frameworks regularly. According to a 2019 CPO Magazine article, 59% of incident response professionals admitted that their organizations do not test their incident response plans and simply assume that their processes work well. We have observed that well-prepared organizations conduct regular penetration tests, internal audits and tabletop exercises, all with the twin objectives of continuous improvement and developing “muscle memory”. It is possible that what was once a reasonably strong incident response plan gradually became outdated. As noted above, planning in this domain is an ongoing process, and testing one’s plan effectively determines if changes are required to accommodate the current risk landscape.

3. Know who you will contact

An essential element of the cybersecurity incident response plan is to know who to contact once the response protocol is triggered. It is important to know which internal and external people and entities must be contacted following a breach, when to contact them, and what each one’s responsibilities will be. The goal is to maximize your organization’s focus on actually dealing with the data incident itself, rather than losing crucial time in figuring out who to contact. Categories of external parties who may need to be contacted include forensic auditors, call centre service providers, insurers and insurance brokers, federal and provincial privacy commissioners that may have jurisdiction, customers and other affected individuals, and communications specialists.

4. Preserve evidence

One of the most common mistakes that we see in our practice is organizations rushing to restore and commence fixes before properly gathering and retaining evidence. Organizations will only have a short window of time to gather critical evidence to meet technical and legal requirements. Thus, it is crucial that organizations understand the need for effective and secure collection and preservation of evidence. Notably, organizations must retain records of cyber incidents and might have to notify affected individuals if there is a real risk of significant harm to them. On the technical side, gathering evidence will enable the identification of the pathway of attack and for vulnerabilities to be fixed. We recommend that organizations contact a law firm and an external IT forensics firm to meet the organizations’ legal obligations and preserve privilege.

5. Involve legal counsel

Organizations often want to get back to business as usual as soon as possible. However, once a data incident occurs, there are ensuing legal obligations that the organizations must consider. For example, often records of incidents must be retained and often there may be obligations to notify individuals and regulators. According to a 2021 report by Kroll, RedCanary and VMWare, 47% of surveyed organizations lack clarity regarding when to retain counsel about potential breaches, and at least two out of five felt ill-equipped to handle the full range of legal requirements post-breach.

6. Act quickly, but not too quickly

It is essential that an organization that was victimized by a data incident operate in a quick but calculated manner. We often see organizations acting too quickly in face of a cyber incident. Organizations need to follow their incident response plan’s protocols and timeline, and to avoid narrowing the focus on getting the system restored as soon as possible.


Being prepared matters in cybersecurity. We should grow to accept that the question is not if a data incident will occur, but when. It is therefore essential that your organization takes steps now to ensure that it is well-equipped to prevent and if required, respond to cybersecurity risks. Cyber experts like the Cyber/Data team at McCarthy Tétrault can be key partners to preparedness and help you build an industry-leading incident response strategy. We invite you to consult our publication, Cybersecurity Risk Management: A Practical Guide for Businesses, for more information on cybersecurity preparedness and response.

To learn more about our Cyber/Data Group, please contact Charles Morgan or Daniel Glover. To receive timely updates, please subscribe to our TechLex blog. To learn about upcoming seminars and events, please visit the Seminars page on our website.



Cybersecurity Blog Series and Related Insights:


To learn more about developing a cybersecurity strategy and an incident response plan, download a copy of our Cybersecurity Risk Management: A Practical Guide for Businesses or visit the Cyber/Data homepage.

To learn more about how our Cyber/Data Group can help you navigate the privacy and data landscape, please contact national co-leaders Charles Morgan and Daniel Glover.



Stay Connected

Get the latest posts from this blog

Please enter a valid email address