Skip to main content

On Friday, 20 June 2024 the BBC Radio 4 Today programme broadcast an interview with Sir Dan Moynihan, Senior Executive Principal and CEO of the Harris Federation, which runs 54 schools in Essex and London. In 2021, the Federation suffered a ‘highly sophisticated’ ransomware attack.   

While the school was able to recover, Sir Dan revealed that the organisation’s response was significantly delayed. It did not have a cyber security specialist on retainer at the time, and every firm it contacted in the immediate wake of the attack declined to take on the Federation as a client because they were all “at capacity.” For any organisation this is a terrifying position to be in, but especially when delays in responses can significantly exacerbate the issues.   

With cyber attacks on the rise and threat actors becoming more dangerous, it is imperative that organisations start thinking of cyber security retainers as an essential part of their overall risk management strategies. Even if your organisation has a Chief Information Security Officer (CISO) and IT security team in place, here’s why a retainer matters, and why it can be one of the most useful tools in the cyber security team’s toolbox.  

Your cyber experts
Kevin Groves
Kevin Groves

Sales Director | Cyber Risk

Edward Starkie
Edward Starkie

Director, GRC | Cyber Risk

Insurance requirements and cost management  

An external IR team gives you access to advanced tools and skills, but without full-time costs.   

This evident benefit aside, many cyber insurance policies require an incident response (IR) retainer for compliance. Meeting such cyber insurance requirements can lead to better terms and lower premiums. Pre-negotiated rates also help to manage costs effectively – if you can lock-in favourable pricing and avoid higher emergency rates. Retainers also enable you to allocate specific budgets for IR, ensuring predictable costs.  

The long-term cyber security cost reduction comes in the form of a reduction in incident frequency and severity.  

Rapid response capability, 24/7  

With the cyber security talent shortage, an IR retainer supplements your team with advanced capabilities during complex incidents. Should an attack happen while key members of the team are on holiday or otherwise unavailable, you need backup ready to go. Round-the-clock support ensures expert assistance whenever an incident occurs.  

Even with a full complement of in-house experts, having a cyber security team on retainer ensures immediate expert assistance during incidents, thereby significantly reducing the impact and costs of breaches.  

Familiarity and specialised expertise  

The retainer provider becomes familiar with your environment and your teams, enhancing incident response. They bring expertise not always available in-house, and if you use retainers for proactive measures, you can maximise the investment value.  

By the same token, prepaid retainers can help you avoid overutilisation through assessing needs and ensuring cost efficiency.  

Proactive security improvements 

IR retainers should include proactive services like readiness assessments and threat hunting, which will improve your overall security posture. Actively accounting for external engagement to drive improvements is best practice that organisations should adopt. Even when considering the smallest cyber security teams, it is vital that regular reviews are conducted. 

In the same way that financial audits are conducted, the attitude of “trust but verify” dictates that cyber security testing and validation of controls should be conducted by external parties. External providers should be a key part of any organisation’s cyber security framework.   

Continuous improvement is a fundamental component of cyber security and allows organisations to make continuous improvements across the board. A third party brings independence and experience that organisations benefit from, by validating and improving the previous efforts of internal teams. A culture of openness driven by the board and a willingness to engage with external sources will benefit the business.   

Looking across organisations, those who have sought independent reviews are the most secure. Those who have done internal reviews or leveraged organisations with conflicts of interest (for example, using a managed detection and response (MDR) provider to review your cyber security capabilities) often find themselves in blind spots or making “politically motivated” review decisions. It should also be stated that a new tool, is more frequently not the answer, nor will it solve all your problems. External assessment will optimise and drive improvements in existing tools and technologies. All too often breaches occur when plenty of tooling is in place, just not implemented, understood or managed effectively by the organisation’s stakeholders this configuration time overlooked.   

Legal and regulatory compliance  

IR providers can help maintain legal privilege (that is, lawyer-client confidentiality) and demonstrate due diligence for regulatory compliance. A good IR provider will have extensive experience of operating in this space, so their actions will not place this legal construct at risk.   

Selecting a third-party cyber security team  

Expertise and experience  

Choose a team with proven incident handling experience and cross-industry expertise. I would also encourage individuals to speak directly to the IR handlers and understand first-hand what the experience of the team is on an individual level. An organisation’s experience does not necessarily mean that you will be given access to that experience through the individual team that will manage your breach.  

Comprehensive services  

Ensure they offer incident response, threat hunting, vulnerability assessments, proactive services that can be pulled down at a time and in a manner of your choosing. If anything is certain in cyber security, it’s that agility that is absolutely vital.   

Response time and availability  

Verify 24/7 availability and quick response capabilities. This is essential because, unfortunately, incidents tend to happen on a Friday afternoon or during the early hours. 

Technical skills and certifications  

Assess their technical proficiency and look for certifications like CISSP, CISM, CEH.  

Scalability and communication  

Ensure they can scale services and communicate effectively with all stakeholders and, as is always the case, that you as a client can speak directly to the practitioners.  

Compliance knowledge  

A team that is familiar with the relevant multiple regulatory regimes in operation globally, and the specific requirements of your organisation could help save you millions in the long run. 

Cost structure and reputation  

Understand pricing models and check references to ensure reliability and confidentiality. This can be the last thing you want to do during an incident but is an absolute must for organisations seeking to get the most from the commercial relationship. In short, it is best done outside of the pressure cooker environment of a live incident.   

Integration and reporting  

Ensure seamless integration with your systems and clear, actionable reporting. An effective retainer provider will ensure all insights and reporting is meaningful for the organisation and its leadership team.   

By prioritising these factors, you can choose a cyber security team that enhances your security posture and ensures effective incident response. When managed and implemented appropriately, a retainer can add significant value to all organisations.   


Cyber Risk

Cyber Risk

We bring the best of our collective experience, energy and creative power to fiercely safeguard our clients and fortify their communities.

Learn more