Cyber incidents… are you ready for it?
Cyber incidents have become an inescapable part of today’s reality, and they are here to stay. The question is no longer if your organisation will become affected by an incident, but when. Still too often, incident responses descend into chaos. Bringing structure to this inherently complex domain is essential to protecting organisational interests. In this blog, our cyber specialists share practical insights into cyber resilience by examining the phases before, during, and after an incident.
What’s in a name?
Effective cyber readiness begins with understanding what constitutes a cyber incident. Cyber incidents span a broad range of events, from intentional acts that amount to cybercrime (such as ransomware attacks) to non-malicious incidents caused by negligence or human error (such as leaving an unencrypted laptop on public transport or inadvertently sending confidential data to the wrong recipient). Even non-malicious incidents must be taken seriously and handled with due care.
A review of the legal definitions of cyber incidents (such as a ‘personal data breach’ under the GDPR, an ‘incident’ under NIS 2 or an ‘ICT-related incident’ under DORA) reveals three common elements: a cyber incident always involves a security compromise, may be malicious or non-malicious in nature, and results in an impact on data and/or services.
Before: if you fail to plan, you plan to fail
Preparing for a cyber incident means treating your organisation as a fortress and its most critical assets as crown jewels. Identifying those crown jewels – such as critical data, business applications, infrastructure components, and intellectual property – and the threat actors targeting them, ranging from cybercriminals and state-sponsored groups to hacktivists and internal human error, is a good place to start. Know what you need to protect, and from whom.
Second, organisations must map their legal obligations and the measures required to shield their crown jewels. Cybersecurity requirements have expanded significantly in recent years and are spread across multiple legal instruments, including GDPR, NIS 2, DORA, the Cyber Resilience Act, the AI Act, and others. A clear overview of this (evolving) landscape is essential to reducing cyber and compliance risks, particularly as authorities also penalise organisations that are insufficiently prepared (see also our previous blog post).
A clear and comprehensive incident response plan is not only a legal obligation under frameworks such as NIS 2, but also an operational necessity. Without one, valuable time and direction will be lost in the critical days following an incident. At a minimum, the plan should allocate roles and responsibilities, determine escalation procedures, identify key stakeholders and (alternative) communication channels, as well as outline the steps to be taken during and after an incident.
Finally, organisations should review contractual arrangements and embed cybersecurity throughout. Relevant provisions include standards and certification requirements, audit rights, cooperation and transparency obligations, liability regimes, termination rights, and insurance requirements. While some legal frameworks (such as GDPR and DORA) already mandate specific clauses, incorporating robust cybersecurity provisions is a best practice even where no explicit legal obligation applies.
During: the battle is in your hands now
Once a cyber incident occurs, it must be handled with care and forensic discipline. Timely involvement of forensic, legal, and other experts can significantly influence outcomes. Core actions in this phase include the following, which are closely interlinked and should be coordinated centrally:
Containment focuses on regaining control. It includes isolating affected systems where possible, blocking malicious activity, and preserving evidence. Hasty actions – such as powering off or rebooting systems – should be avoided because they can quickly and irreversibly destroy critical forensic evidence.
Fact-finding aims to establish a clear understanding of the incident by gathering relevant information, assessing its impact, and identifying the root cause. Any internal investigation must be conducted in accordance with applicable legal frameworks, including regulations on the secrecy of electronic communications, employee monitoring, and private investigations, depending on the scope of the inquiry. In addition, the decision whether, where, and when to file a criminal complaint to trigger an official investigation should be carefully evaluated, as it involves inherently strategic considerations.
Logging the course of the incident and the various actions taken should be treated as a strategic necessity rather than an administrative task. Robust logging centralises relevant information into a ‘single source of truth’, enabling a consistent and defensible narrative after the incident. It also supports regulatory and compliance obligations.
Notification of a cyber incident is driven by legal and, where applicable, contractual obligations, each subject to strict but distinct deadlines. These may include notifications to regulatory authorities (such as the DPA, CCB, FSMA, NBB, and sectoral authorities) as well as to data subjects, service recipients, co-contracting parties, and insurers or brokers. Having a clear, pre-established overview of these obligations is critical to streamlining timely and compliant reporting.
Restoration focuses on safely returning to operations. Depending on the circumstances, this may involve restoring systems from clean backups, rebuilding environments from scratch, or – particularly in ransomware scenarios – considering, as a last resort, whether to engage with attackers. Each option involves trade-offs between speed, security, and long-term risk, and should be assessed carefully with technical, legal, and insurance input.
After: are we out of the woods?
The response to a cyber incident does not end once systems are restored and immediate threats are contained. The period following an incident is critical for ensuring long-term resilience and reducing the risk of recurrence. Organisations should take structured follow-up actions, including monitoring for misuse of compromised data (for example, through dark web searches), protecting legal interests, settling matters with insurers, and maintaining constructive follow-up contacts with regulators.
At the same time, mitigation measures identified during the incident should be fully implemented and tracked, and contractual arrangements should be reviewed and updated where gaps or weaknesses have been exposed. Depending on the circumstances, this may also involve pursuing extra-contractual remedies, such as criminal proceedings or complaints to supervisory authorities, or contractual enforcement actions.
Cybersecurity is not a one-off exercise and is never ‘finished’. As technology, threat landscapes and legislation continuously evolve, cyber resilience requires ongoing attention, adaptation, and investment. Are you ready for it? For questions and assistance on this matter, our experts are at your disposal.
