Why Incident Response Preparedness Can No Longer Be Deferred
Cyber incidents continue to pose a material risk to operational continuity, financial performance, reputation, and stakeholder trust. As reliance on digital systems and third-party services increases, so too does the potential impact of a poorly managed cyber event. Expectations around preparedness have matured, with Boards, executive teams, insurers, and regulators now looking for clear evidence that organisations can respond to cyber incidents in a controlled, coordinated, and well governed manner.
At the centre of this expectation is a fit for purpose Cyber Incident Response Plan that is current, tested, and understood across both operational and executive levels of the organisation. Recent analysis in the NCSC’s Cyber Threat Report 2025 reinforces this position, highlighting a sustained and evolving threat environment characterised by ransomware, supply chain compromise, exploitation of known vulnerabilities, and increasingly sophisticated threat actors.
The report consistently demonstrates that the severity of impact is often determined not solely by the technical nature of an attack, but by the quality of preparation and response. Organisations without clear plans, defined decision-making authority, and rehearsed coordination across technology, legal, communications, and executive teams are more likely to experience prolonged disruption and compounding harm.
This bulletin draws on those findings to reinforce a clear message for leaders. Effective preparedness requires more than preventative controls. It requires an up-to-date cyber incident response plan, supported by regular simulation exercises that test how the organisation would respond in realistic scenarios, including ransomware and major operational disruption.
If You Don’t Have a Cyber Incident Response Plan, Publish One Immediately
An organisation without a documented cyber incident response plan is exposed to avoidable and amplified risk. In the absence of a clear plan, responses are often fragmented, responsibilities are unclear, and decision-making authority is contested. Valuable time is lost while teams attempt to determine ownership, escalation paths, and communication responsibilities. This frequently results in inconsistent actions across technology, legal, communications, and executive teams, increasing disruption and compounding the overall impact of the incident.
A cyber incident response plan provides a pre agreed framework for action during high pressure situations. It establishes who has authority to make decisions, how incidents are escalated, how information is shared internally and externally, and how notification obligations are met. The existence of a documented and approved plan is increasingly regarded as a baseline control and a fundamental element of sound cyber risk and resilience management.
If You Have a Plan, Ensure It Is Current and Fit for Purpose
Having a cyber incident response plan is not sufficient if it is outdated or disconnected from how the organisation currently operates. Many plans do not reflect changes in technology environments, increased use of cloud and managed service providers, evolving threat scenarios, or changes in organisational structure and leadership.
When contact details are inaccurate, escalation thresholds are unclear, or assumptions about system availability and recovery are unrealistic, the plan provides limited practical value during a real incident. A current and effective plan should reflect today’s systems, suppliers, governance arrangements, legal obligations, and risk appetite, and should support timely, confident, and well-informed decision making under pressure.
Test the Plan at Least Annually
A cyber incident response plan that has not been tested remains theoretical and may create false confidence at both operational and executive levels. Annual testing through structured tabletop or scenario-based exercises is essential to confirm that the plan can be executed effectively and that it supports timely, well informed decision making during a high pressure cyber event.
This is particularly important given the continued prevalence of ransomware incidents, which often require rapid decisions about containment, system isolation, service continuity, legal and regulatory notification, communications, and engagement with external parties. Ransomware scenarios place unique pressure on organisations, frequently involving compressed timelines, incomplete information, and competing operational and reputational priorities. Testing ensures that these decisions are understood in advance and are not being made for the first time during a live incident.
Regular exercises allow organisations to validate how decisions are made, how incidents are escalated, and how information flows between technical teams, executives, legal advisers, and communications functions. They test whether escalation thresholds are appropriate, whether decision making authority is clear, and whether ransomware specific considerations such as backup restoration, business continuity, and external engagement can be managed effectively.
Testing consistently reveals practical issues that are rarely identified through document review alone. These may include unclear responsibilities, unrealistic assumptions about recovery timeframes, gaps in communications, reliance on unavailable personnel, or supporting procedures that are difficult to follow under pressure. Identifying and addressing these weaknesses in advance materially improves response effectiveness, reduces uncertainty during ransomware and other major incidents, and strengthens confidence across both operational teams and executive leadership.
Preparedness Assessments Are Increasingly Being Requested
Organisations are increasingly being asked to demonstrate their level of cyber incident preparedness rather than relying solely on the existence of documented plans. Boards seek assurance that response arrangements are credible and aligned to the organisation’s risk profile. Insurers assess preparedness as part of underwriting and claims considerations. Regulators and other stakeholders expect evidence of proactive, reasonable, and well governed cyber risk management.
Independent preparedness reviews provide an objective assessment of incident response capability across governance, people, processes, and supporting documentation. They help organisations identify priority gaps, benchmark maturity, and focus improvement efforts where they will deliver the greatest value.
We have the expertise and resources to conduct efficient and low disruption reviews of cyber incident response preparedness. These reviews deliver clear, practical recommendations that help organisations strengthen governance, improve response capability, and provide executives and Boards with greater confidence in their level of readiness.
Call to Action
The Cyber Threat Report 2025 makes clear that cyber incidents should be treated as enterprise-wide crises rather than isolated technical events. They test leadership, governance, communications, and organisational resilience as much as they test technology controls. Organisations that have invested in preparation are better positioned to respond decisively, limit disruption, and recover more quickly when incidents occur.
Maintaining a current cyber incident response plan, ensuring it reflects the organisation’s real operating environment, and testing it regularly through structured simulations are now fundamental expectations of good governance. These activities provide assurance that decision making authority is clear, escalation paths are understood, and executives are prepared to manage high pressure scenarios such as ransomware, data extortion, and third-party failures.
As scrutiny continues to increase, organisations are also being asked to demonstrate preparedness, not simply assert it. Independent reviews and facilitated exercises offer practical insight into readiness, highlight priority gaps, and support credible assurance to Boards, insurers, and regulators.
Cyber incident preparedness is therefore an ongoing discipline rather than a one-off activity. Organisations that embed planning, testing, and review into their governance arrangements are far better placed to protect operational continuity, maintain stakeholder trust, and manage the impact of serious cyber incidents when they occur.
About the Bulletin:
The NZ Incident Response Bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Also included are articles written by Incident Response Solutions, covering topical matters. Each article contains a brief summary and if possible, includes a linked reference on the web for detailed information. The purpose of this resource is to assist Executives in keeping up to date from a high-level perspective with a sample of the latest Forensic and Cyber Security news.
To subscribe or to submit a contribution for an upcoming Bulletin, please either visit https://incidentresponse.co.nz/bulletin or send an email to bulletin@incidentresponse.co.nz with the subject line either “Subscribe”, “Unsubscribe”, or if you think there is something worth reporting, “Contribution”, along with the Webpage or URL in the contents. Access our Privacy Policy.
This Bulletin is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Bulletin. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.
Incident Response Solutions 