A Guide to Drafting a Cybersecurity Crisis Management Response Plan – The 6 Key Elements and 6 Key Steps

“The secret of crisis management is not good vs. bad, it’s preventing the bad from getting worse.” - Andy Gilman


With the ever increasing proliferation of cyberattacks across the globe, having a ready cybersecurity crisis management response plan (“Response Plan” or “CCRP”) may spell the difference between life and death for an organization.

A Response or CCRP is a set of tools and guidelines that an organization’s IT team can rely on to help them identify (observe), orient, eliminate (act) and recover from cybersecurity threats.

Having such a plan in place also mitigates the risk of an organization’s IT personnel from stalling out (due to panic) in the event of a cyber-attack and react accordingly. This way, an organization can mitigate the damages caused by threats including but not limited to data loss, abuse of data and loss of customer trust.

Whilst having a plan is useful, no plan is useful without a team to carry out the contingency. It is therefore pivoted that having an Cybersecurity Crisis Response Team (“Response Team” or “CCRT”) is equally important for any organization.

Why Do You Need a Cybersecurity Crisis Management Response Plan?

It cannot be stressed enough that incident Response Plans are essential to data protection. Such protection (usually outlined in most Response Plans) will include procedure for creation of secured backup (which can reduce service outage), the use of logs and automated security alerts to detect malicious activities, identity (ID) and access management to mitigate insider threats and patch management.

Given the fact that most customers will take their business elsewhere (or litigate against the organization) in the event of a data breach, if a cybersecurity breach is not handled quickly, efficiently and properly, the company faces both the real risk of losing business as well as liabilities from cybersecurity negligence law suits. For public companies, investor confidence can substantially decline (causing fluctuation in price) where a company suffers devastating cyber-attacks.

Conversely, by having a robust and functioning Response Plan and Response Team in place, organizations stands to gain by:

  • Improved Data Protection: proper data protection meant there are backups in place which in turn translates to ‘no service down time’ even where the worse happens (e.g. roll out the back-up).
  • Strong Reputation: efficient and timely response shows the organization’s dedication to security and privacy (even where it is pre-emptive). If an organization suffered an attack, clients will eventually find out.
  • Reduce Costs: set-up costs may be costly, but it is absolutely nothing compared to regulatory fines and/or civil litigation, investigation and customer compensation. Prevention is always better than cure.

Key Criteria for a Good Response Plans

For any organizations whom wishes to have a good Response Plan on hand, the following are ‘must-have’ elements:

  1. Senior Management Involvement: top down involvement is key to success. Not only will the IT team have the resources they need, but presence of management will enable the proper forming of a Technology Steering Committee;
  2. Constant Vulnerability Testing: a Response Plan is not much if there is no Response Team and a Response Team’s efficiency is based on how well it is trained. Always have drills to make sure Response Plans are executed properly and seek out vulnerabilities;
  3. Balance: too rigid of a response plan may mean that unexpected variables will be unaddressed. Conversely, too flexible (aka vague) of a plan will lead to confusion. A detailed plan with lower levels being able to take the initiative for the proper response depending to the situation will be the key to success.
  4. Established Lines of Communication: this part is often overlooked. Having a clear line of communication as to who should report to whom (and contingency) is key to crisis management. For example, guidelines as to which piece of information should be directed to IT, management or public relations is essential.
  5. Stakeholder List: this comes down to the training of the Response Team. Organizations are often big (even for small enterprises) and depending on the organizational resource that is targeted by a cyber-attack, the stakeholder list tends to shift.
  6. Strip to the Essentials: one of the biggest problems with organization is the idea of obtaining a ‘template’ Response Plans. These are usually unwieldy and not functionable for specific organizations. The concept of “Keep It Stupid Simple” (“KISS”) is a time tested principle. Response Plans should be appropriately made.


Always remember, cybersecurity is an ongoing process for organization. A response plan should therefore be able to codify the following steps:

  1. Preparation and Prevention: security systems should be put in place. Codifying contingency will ensure a surviving operation even when attacked.
  2. Identification: vulnerabilities should be identified. Where actual incident is identified, an automated response of “who, what, where, why and how” documentation should be made (to identify the attacker and preserve evidence for Court Action)
  3. Containment: where a threat is detected, a Response Team should without requiring input move in to contain the threat and stop the damage from expanding.
  4. Eradication: where a threat is identified and contained, appropriate steps at removing the intrusion/malware should take place. If a back-up is used, must ensure that it is also free from infection.
  5. Recovery: a recovery plan ensuring that backup will be properly brought online should be implemented.
  6. Lesson Learnt: stopping an attack without addressing the vulnerability which enabled the attack is a wasted opportunity. Always learn and always improve. 

Solicitor, ONC Lawyers

Joshua Chu is a Litigation Solicitor qualified to practice in Hong Kong. Before becoming a lawyer, Joshua worked in the healthcare industry serving as the IT department head at a private hospital as well as overseeing their procurement operations.

Since embarking upon his legal career, his past legal experience includes representing the successful party in one of Hong Kong’s first cryptocurrency litigation cases as well as appearing before the Review Body on Bid Challenges under the World Trade Organization Government Procurement Agreement concerning a health care industry related tender.

Today, Joshua’s practice is mainly focused in the field of dispute resolution and technology law.

Aside from his legal practice, Joshua is currently also a Senior Consultant with a regulatory consulting firm which had been founded by ex-SFC Regulators as well as being a management consultant for the Korean Blockchain Centre.

Partner, Ravenscroft & Schmierer, Hong Kong

Anna is a Hong Kong qualified lawyer and is responsible as a partner at Ravenscroft & Schmierer for the commercial litigation department. Aside from her legal background, Anna is also an advisor to the Ohkims Blockchain Centre in South Korea and Hong Kong qualified lawyer and a regulatory consultant specialized in IT control and compliance.  

Before starting her practice as a lawyer, Anna worked closely with the United States Patent and Trademark Office (USPTO) and US Food and Drug Administration (FDA) on intellectual property and FDA regulatory matters. 

​Since embarking on her legal career, Anna was part of the team that defended a party in Hong Kong High Court proceedings involving the jurisdiction’s first cryptocurrency cases where she leveraged her science and engineering skills extensively to help improve her client’s case’s position. This feat was repeated again shortly after when Anna again leveraged her science background in a healthcare-related tender dispute. 

​Today, Anna is proactively working on various Distributed Ledger Technology related projects where she combines her love for science and technology together with the logic behind regulatory framework.