What is an incident response retainer?
An incident response retainer is an agreement between a company and an incident response firm to provide ongoing incident response services. With a retainer, the incident response firm is “on call” to immediately respond if the company suffers a cyberattack or data breach. The retainer establishes a predefined scope of services, response times, and rates that the incident responder will provide if an incident occurs.
Some key benefits of having an incident response retainer include:
Immediate incident response
With a retainer in place, the incident response firm can mobilize and begin investigating a cyber incident within minutes or hours of being notified by the company. This rapid response is critical for containing damages from breaches and attacks. Without a retainer, it may take days to find and contract an external team in the midst of an emergency.
Reduced costs
Retainers can significantly reduce incident response costs by establishing fixed rates and scopes in advance. The retainer fees paid are also typically less than an emergency incident response engagement. According to Ponemon Institute, the average cost of a data breach is $4.24 million. Retainer fees are a fraction of this.
Tailored services
Retainers allow companies to customize incident response services to their unique needs. This can include specialized services to respond to risks from industry-specific regulations and technologies. The retainer can outline required skill sets, response times, reporting, and other variables.
Faster response and resolution
With an existing relationship and understanding of the company’s assets and risks, the retainer incident response team can respond and investigate breaches faster. This swift response minimizes damages and continuity disruptions. It also facilitates faster resolution and recovery from the incident.
Proactive preparation
A well-structured incident response retainer will involve proactive services to continually prepare the company’s people, processes, and technology. This can include activities like:
- Conducting tabletop exercises to practice incident response plans
- Providing ongoing education to employees about cyber risks
- Assessing existing incident response strategies and tools
- Recommending proactive improvements to enable faster response
Being well prepared before an incident occurs greatly enhances resilience and recovery.
How much does an incident response retainer cost?
Incident response retainer fees vary based on the scope and extent of services included. Retainers often have both fixed and variable fee components.
According to industry experts, monthly retainer fees typically range from $5,000 to $25,000+. The table below outlines the factors that influence costs:
| Cost factor | Typical range |
|---|---|
| Base monthly retainer fee | $5,000 – $15,000 |
| Additional proactive services fees | $2,500 – $7,500* |
| Emergency incident response rates | $250 – $500 per hour |
*Such as for tabletop exercises, preparedness assessments, etc.
The higher the monthly fee, the more proactive and specialized services are typically included. The retainer will outline the exact deliverables covered. When an incident occurs, most firms charge emergency response fees at an hourly rate already defined in the contract.
Factors that increase retainer costs include:
- More extensive proactive services
- Faster guaranteed response times
- Specialized services like forensic analysis and PR
- Higher level skill sets and expertise
- Larger and more complex IT environments
Overall costs scale based on the size and complexity of the company as well as the specifics of the retainer. However, they remain very reasonable compared to the alternative costs of an emergency incident response engagement.
What are the costs of not having an incident response retainer?
The financial, operational, and reputational costs of not having an expert incident response team immediately available via a retainer can be immense. Costs may include:
Delayed response
Without a retainer, it takes critical time to locate, evaluate, and engage with an incident response firm. This delay allows the impacts of the breach to exponentially worsen.
Prolonged downtime
Business operations and technology systems will remain disabled for longer while an ad hoc team is contracted. Lost productivity and revenue during prolonged downtime can be massive. The longer systems are down, the greater the overall economic impact.
Uncontrolled notifications
Regulations require prompt notifications after a breach. Without prepared retainers, companies risk non-compliance penalties as proper notifications get delayed. Missed deadlines erode trust with customers and stakeholders.
Poor data protection
A delayed response risks more data being exfiltrated or destroyed by attackers. It also reduces the ability to quickly secure and recover compromised data, leading to permanent data loss.
Reduced legal protection
Prompt incident response demonstrates due diligence to regulators and the courts. Delayed response due to lack of an emergency retainer weakens legal defenses and worsens liability outcomes.
Higher costs
All the factors above significantly increase recovery costs. Emergency incident response engagements without a retainer also tend to have much higher hourly rates. One study found that average breach costs were 95% lower for companies with incident response plans.
Long-term reputational damage
Breaches without prompt response may permanently lose customer trust and damage brand reputation. Fifty-five percent of consumers say they would stop engaging with a brand after a breach.
In summary, the financial costs and business impacts of not having expert incident response immediately available through a retainer can result in exponentially higher crisis costs than the monthly retainer fees.
What should be included in an incident response retainer?
To maximize preparedness and response capabilities, companies should look for these key items in an incident response retainer:
Defined response times
Guaranteed response times, such as initiating response within 4 hours of breach notification. Faster response times minimize damage.
Technical expertise
Access to forensic analysts, malware reverse engineers, and specialized expertise tailored to your IT environment and risks.
Proactive planning
Ongoing services to proactively develop playbooks, conduct preparedness drills, and improve detection capabilities.
24/7 availability
Support 24 hours a day, 365 days a year. Ensures response mobilization even during holidays and weekends.
Interoperability
Experience integrating with your security technologies to enable seamless and rapid response capabilities.
Regulatory guidance
Guidance on compliance with data breach regulations, notifications, and filings for your jurisdiction and industry.
Crisis management
Public relations, media relations, and communications support to guide crisis management and uphold reputation.
Preferred rates
Discounted hourly fees for incident response services beyond the retainer scope.
Insurance connections
Ability to engage insurers and incorporate breach response coverage into the response plan.
Including a diverse blend of proactive and reactive services in the retainer agreement will provide maximum incident readiness and resilience at reasonable fixed prices.
How to choose the right incident response retainer?
Follow these steps when evaluating and choosing the ideal incident response retainer for your company:
Assess internal capabilities
Gauge current resources, expertise, and readiness to determine where external support is needed. Know existing gaps.
Define requirements
Specify required response times, services, deliverables, and cyber insurance needs upfront.
Screen providers
Research options and screen providers based on their expertise, services, experience with incidents in your industry, and client reviews. Develop a shortlist of top contenders.
Interview partners
Interview shortlisted providers to evaluate their offerings and approach. Assess their technical team’s skills, communication abilities, and cultural fit.
Compare proposals
Have prequalified providers submit custom proposals based on your requirements. Compare capabilities, experience, deliverables, and pricing.
Verify certifications
Confirm partners have proper ISO certifications and meet regulatory standards in your jurisdictions. Asses their use of validated cyber response frameworks.
Negotiate contract
Negotiate any required customizations to the contract scope, fees, or timeline commitments. Iron out any legal and pricing details.
Conduct tabletop exercises
Test the onboarding process and simulate an incident response scenario. Evaluate communications, support capabilities, deliverables, and skill sets.
Choosing the right partner using this rigorous selection process will help you implement a high-value incident response retainer tailored to your organization’s unique needs, risks, and budget.
Conclusion
A properly structured incident response retainer delivers immense value for enterprises concerned about cyber risk. The retainer provides immediate access to specialized expertise to rapidly respond to and manage cyber incidents. It minimizes response delays that worsen crisis impacts and costs. Ongoing proactive services also improve cyber resilience by continuously enhancing detection and response capabilities.
For moderate monthly fees, retainers significantly reduce overall breach costs and damages compared to ad hoc emergency response. Quantifying the true cost of response delays makes the benefits of a retainer very clear. Partnering with expert incident responders before a crisis also helps uphold brand reputation during difficult times. Considering rising cyber risks, investing in an incident response retainer is one of the wisest proactive decisions an enterprise can make today.