The Pitfalls of Not Having an Incident Response (IR) Retainer

The Pitfalls of Not Having an Incident Response (IR) Retainer

Avatar photo
Hwei Oh
6 min read
Share this article:

The wrong time to look for flood insurance is during a flood. Similarly, the wrong time to look for an Incident Response (IR) team is when you’re already under a cyberattack.

We get it. Inflation is skyrocketing, and businesses are tightening their purse strings. The rise in energy and gas prices also isn’t helping. Companies need cash flow, and hiring another vendor on retainer might seem counterintuitive while the world is still recovering following the pandemic.

But inflation and gas prices aren’t the only things on the rise: so are cyberattacks. And SMEs sit squarely in the crosshairs of opportunistic cybercriminals who spray their attacks shotgun-style at “low-hanging fruit,” hoping to strike it lucky.

Experts at DAVOS 2023 recently called the flurry of attacks a “cyber storm.”

Cybercriminals can attack many thousands of SMEs in a short time by using sophisticated tools. The hit rate for these attacks was 42% in 2021. And, although the payback from an SME might be much lower than from one big fish corporate company, it adds up. Not to mention that it’s significantly easier.

The costs of a data breach can be crippling. IBM’s 2022 Cost of a Data Breach reveals that the average cost to businesses can be as high as $5.57 million. These costs include the expenses of:

  • Mitigating the attack.
  • Investigating the attack.
  • Resolving it.
  • Handling the fallout.
  • Paying notification costs and any legal fees which may include regulatory fines.

Fortunately, having an IR team on retainer can significantly mitigate these costs. Coupled with an overall robust security posture as well as a well-practiced IR Plan, a company dramatically reduces its chances of falling victim to cybercriminals on the prowl.

Let’s look at the pros and cons of having an IR team in place; whether the risk of going without one is worth it; and where to look for the most competitive IR Retainer pricing.

Retainers reduce costs, period.

The IBM Cost of a Data Breach report mentioned earlier provides some eye-opening numbers regarding cost-saving.

Companies with an IR team experienced a $252,000 decrease in the cost of managing a data breach. When they tested the plan thoroughly, such as through regular IR Plan Tabletop Exercises, they further reduced the average cost by $246,000.

Having an IR team in place was one of the top three cost mitigation factors in all breaches. 

Clearly, being engaged with an IR team pays for itself!

Shopping for a retainer at the time of a breach is much more costly

Retainer pricing models follow the same principle as insurance models: Economies of scale allow retainer-based companies to provide premium services at a significantly reduced cost.

Emergency-type services such as AAA typically charge you the full fee if you aren’t an existing client. Retainer-based models also run on the principle that retainer clients are a priority. If you reach out to an IR team during a crisis, there’s no guarantee they’ll prioritize you. This is especially true if they have retainer clients who need help at the same time.

The other reason a retainer model works for both client and vendor is that the pricing is predictable. Unlike the “call in an emergency” paradigm, when you have a retainer contract, you’ll typically pay only the pre-negotiated retainer rate, and no more.

In other words, if you do need immediate and emergency IR support, you’ll likely have to pay a premium to have the IR team prioritize you. However, these premiums won’t apply if you have them on retainer.

The sheer quantity of breaches means that IR businesses are busy. This demand drives up the costs of ad hoc IR services.

Time is of the essence when facing a security incident

Every minute lost during a cybersecurity crisis adds to the recovery costs. As per the IBM report, having an IR team and a well-tested IR plan in place, results in some of the most significant cost reductions for data breaches.

Onboarding takes time

It also takes time to onboard a new IR Team. The teams need to understand:

  • Your environment including your technology and security stacks and sources of evidence.
  • Available resources.
  • Who is responsible for what.
  • Communication strategy.

Prep-work of this nature isn’t going to happen in a day, and an IR team that doesn’t know your company will be much less effective. This can be devastating if you just secured their services when you were hit with a cybersecurity attack.

An effective IR strategy comes down to preparedness. By the time the attack happens, your IR team on retainer should be on speed dial and prepped for any kind of assault. The tighter the relationship, the faster the IR team can hit the ground running.

What else to consider beyond the retainer?

How do you look beyond the retainer and adequately vet the IR team you’re considering?

You should ask three core questions:

  • Will they create a comprehensive IR plan?
  • Will they help you exercise and test that plan?
  • How quickly can they respond should you have an incident?

Let’s take a look at each of these vetting questions in detail.

Will they create a clearly executable IR plan?

An IR plan must consider all stakeholders. The plan itself should be comprehensive and detailed so you’re not looking for explanations or specifics during a cyber event. Usually, the IR team helps create additional IR playbooks to describe more complex aspects of the plan.

An IR plan should consider the responses of:

  • Leadership
  • Tech personnel

Leadership will need to make tough decisions when an incident occurs. These decisions might require bringing in legal and PR stakeholders.

Tech teams will have their own actions to take. Sometimes, those actions will be independent of leadership actions. Other times, they will depend on leadership decisions.

Having an IR Plan is often a regulatory requirement or even a necessity for specific certifications such as the SOC2 — a security framework to determine how companies must care for customer data.

Will they help you exercise that plan?

IR plans need to be tested to ensure all key stakeholders and actors perform their tasks effectively in case of an incident. This is typically done using Tabletop Exercises.

Think of tabletop exercises like fire drills but for cyber security incidents. Participants carry them out in an informal, conversation-based setting. They are performed so players understand their roles during an incident.

Participants must answer questions about what to do and why during these exercises. The day of an incident isn’t the day to try and figure out the right actions to mitigate the attack.

How quickly can they respond?

Finally, the most significant benefit of an IR Retainer is that they’re there to help when you need it. Understand how you can contact them in the event of a breach and how quickly they can respond. As we’ve pointed out, the longer it takes, the more it can cost.

Conclusion: Don’t wait to get an IR retainer

No matter how well-protected you are, it’s wishful thinking to believe you’ll never get hacked. The more protected you are, the fewer the chances. But the best posture for companies to adopt these days is one of preparedness.

In addition to reliable MSSP Services and cyber insurance, signing up for an IR Retainer is crucial for effective cyber resilience.

MSSPs can help reduce costs

Fortunately, MSSPs can offer additional cost savings by bundling their offering with an IR Retainer.

SolCyber has partnered with all necessary cybersecurity players to ensure we provide a turnkey service to anyone who uses us. One of those players is the esteemed IR company Surefire Cyber.

When you sign up with SolCyber, you can also sign up for a retainer with Surefire Cyber as part of our Extended Services. Surefire Cyber will then immediately start helping you with crucial elements such as:

  • Understanding your cybersecurity posture.
  • Preparing an IR Plan based on that posture.
  • Running exercises based on that IR Plan.
  • Ensuring your IR plans are supported by accompanying IR Playbooks.
  • Regularly checking that your IR Plans and playbooks are up to date.

Because Surefire Cyber works with SolCyber, you have the advantage that they know exactly what you’re protected against. This makes it easier for them to prepare an IR Plan matching your security posture. For any questions about how to bolster your IR planning, talk to us today!

Avatar photo
Hwei Oh
Share this article:

Table of contents:

The world doesn’t need another traditional MSSP 
or MDR or XDR.

What it requires is practicality and reason.

Related articles

The world doesn’t need another traditional MSSP or MDR or XDR.
What it requires is practicality and reason.

And security that won’t let you down. It's time to put an end to the cyber insanity once and for all.
No more paying for useless bells and whistles.
No more time wasted on endless security alerts.
No more juggling multiple technologies and contracts.

Follow us!


Join our newsletter to stay up to date on features and releases.

By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.

SolCyber. All rights reserved
Made with
Jason Pittock

I am interested in
SolCyber XDR++™

I am interested in
SolCyber MDR++™

I am interested in
SolCyber Extended Coverage™

I am interested in
SolCyber Foundational Coverage™

I am interested in a
Free Demo