Incident response and recovery

Responding to cyber security incidents requires more than just best in class forensics, which is why partnering with a provider who can support you across a breadth of capabilities and understand the regulatory and organisational complexities is increasingly important.

  • Cyber security incidents and the crises they can trigger are increasingly complex, with malicious threat actors constantly evolving their tools and techniques to have as much impact as possible.
  • Businesses are increasingly dependent on interconnected and interdependent IT, regulations are strict, and public expectation of transparency is high.
  • Operational resilience is a key regulatory requirement for many industries, with a particular focus on cyber security, as financial entities become more technology reliant in line with the Digital Operational Resilience Act (DORA) and Network Information and Security 2 (NIS 2) regulations.
  • Organisations with operational technology (OT) environments are increasingly seeing the disruptive impact of cyber incidents.

As an assured National Cyber Security Centre (NCSC) Cyber Incident Response (CIR) Level 1 provider, we have been supporting organisations across all sectors including those in highly regulated industries with incident response and digital forensics services since 1998.

Our tried and tested methodology helps you rapidly respond to complex incidents and implement a recovery strategy. We bring a breadth of capability, including our global threat intelligence practice, crisis management and communications expertise, board and executive support, along with a well established methodology for data breach reviews and claims support.

Incident response retainers

Our incident response retainers provide global, on-demand, 24/7/365 access to a specialist incident response team in the event of a cyber security incident.

Our approach to retainers emphasises ongoing collaboration and contact throughout the year. We believe that incident response and intelligence teams who maintain an ongoing connection, and who are familiar with each other, will also be able to collaborate more effectively and promptly in an incident.

Initial and ongoing workshops to understand your business, IT infrastructure, existing incident response policies and procedures, and enable an effective response.

Our retainer includes a four hour SLA and can becustomised further givingyou confidence that youhave access to experts if anincident occurs.

Our retainer is modularand fully customisable, allowing you to select the benefits that you need most.

Real-time virtual communication enabled by Slack or Teams with the PwC incident response team, to make sure we are an extension of your team, and not just another service provider.

Access to our monthly threat intelligence summary reporting, and a range of other PwC intelligence resources such as our quick response tipper programme.

Unused retainer hours can be used on preparedness and other cyber security services, to maximise your return on investment.

Rapid access to a range of additional cyber security services (including threat intelligence and threat detection) to inform wider security strategy.

You can invoke PwC's IR services by:

Emailing PwC’s monitored inbox

Calling PwC’s 24/7 hotline +44 808 196 2169

Posting a message in your dedicated Slack or Teams channel

Incident response plans and playbooks

In an environment of growing cyber security threats, it is essential that organisations have well-documented, understood, and exercised plans and playbooks to ensure you are ready to respond when a cyber security incident or crisis occurs and to quickly recover.

As a strategic partner, we are able to support you across all pillars of your cyber defence programmes.

We can assist in the creation, customisation, or updating of incident response plans and playbooks. And our deep expertise and experience enables us to support you with the provision of anything from highly technical step-by-step guidance to higher-level strategic decision-making support, such as managing the response to ransomware attacks.

Benefits of an effective cyber security incident response and recovery plan

Rapid response

There is a clearly defined response framework and supporting governance, clear ownership, pre-agreed decision-making authority and escalation pathways; all enabling rapid response when needed.

Integrated response

The response and recovery capability spans both business and technical concerns, drawing on broad cross-organisational capabilities; ensuring you have the right people engaged from the outset.

Increased readiness

People, processes and tools are rehearsed and ready to respond when a cyber attack occurs; building a strong ‘muscle memory’ that can be quickly triggered.

Emerging stronger

Business-as-usual operations are quickly restored and lessons learned are identified and addressed to help prevent recurrence; enhancing overall operational resilience.

Post incident review

Our post incident review capability involves a thorough examination and analysis of a cyber security incident that has occurred within an organisation. The overall purpose is to provide recommendations across people, processes and technology to help implement lessons learned from the incident, and reduce the likelihood and impact of future attacks.

In May 2021, the Irish Health Service Executive (HSE) suffered a well publicised ransomware attack. PwC was commissioned by the Board of the HSE to conduct an independent post incident review. Our comprehensive review of the incident highlighted many strategic and tactical recommendations for HSE. It also provided key learnings applicable to all organisations.

Read the full report Conti cyber attack on the HSE - Independent post incident review.

Benefits of a post incident review

  • Identify improvements to organisational preparedness: We will identify gaps in your business continuity and incident response practices and plans. This will allow you to fully understand what needs to be changed to support you in avoiding or effectively responding to incidents in future.
  • Identify improvements to cyber security to address root-cause issues: These improvements will cut across people, processes and tooling to help improve your ability to rapidly prevent, detect and respond to cyber security incidents.
  • Identify improvements to disaster recovery capability: We will identify opportunities to improve your capability and the disaster recovery solutions required to meet your business continuity requirements in response to future incidents.


{{contentList.dataService.numberHits}} {{contentList.dataService.numberHits == 1 ? 'result' : 'results'}}

Contact us

Tom Hall

Tom Hall

Director - Incident Response & Remediation, PwC United Kingdom

David Cannings

David Cannings

Cyber Threat Operations, PwC United Kingdom

Tel: +44 (0)7483 434287

Follow us