Cyber incident response

Cyber security incidents are becoming the new norm: what should you be doing to prepare and respond?

Cyber security incidents have become inevitable; the result of our increasingly interconnected and technology-enabled world. As the increasing frequency of high-profile breaches shows, no organisation is immune. It's important you're prepared and able to respond effectively - whatever your industry, location or organisation size.

Why now is the time to take action

  • Regulations such as GDPR and NIS require organisations to respond within 72 hours or face significant fines.
  • More and more cyber insurance providers now expect their clients to demonstrate adequate level of preparedness before making a claim.
  • Bringing in an incident response provider in the middle of an incident without having a retainer in place can significantly delay response due to the time needed for onboarding.
  • Response efforts often fail due to a lack of expertise and poor approach to incident response planning.

What questions should you be asking?

Many people and departments have a role to play in ensuring that your organisation is able to effectively respond to cyber security incidents. This includes board level stakeholders such as the CEO, CIO, and CFO CTO; key IT and security leaders such as the head of IT, CISO, head of IT security, and head of IT operations; and others such as legal, internal audit, and risk.

  • Are you prepared to respond to a cyber security incident?
  • Do you have plans in place to respond to, and recover from, the most likely scenarios?
  • Have you exercised your response to a security incident, including at executive committee and board level?
  • What would your worst case cyber security incident look like?
  • Is your board equipped with the expertise needed?
  • Do you know who to call should the inevitable happen?
  • Do you have experts on call and ready to respond to a cyber incident?
  • Do you have the capability to contain and limit the impact of a breach?

If the answer to any of these is 'no',  we can work with your organisation to help.

Our incident response services

As one of the few firms providing comprehensive end-to-end incident response services globally, our market-leading cyber incident response practice is well positioned to advise organisations who are preparing for, responding to and learning from cyber security incidents in order to minimise business impact and residual risk.

Incident response retainers

On-demand access to a specialist cyber incident response team in the event of a cyber incident to quickly detect, contain and remediate the threat.

  • Workshops to understand your IT estate and existing incident response policies and procedures.
  • On-site and remote response SLAs.
  • 24/7 emergency response hotline.
  • Real-time virtual communication with a dedicated incident response team. 
  • Crisis preparedness support where it is needed from board-level to first-responder teams.
  • Access to our customised incident reporting templates. 
  • Any unused retainer hours/days can be spent on other incident response services.
  • Access to a range of threat intelligence services and detailed reporting to inform your wider security strategy.  

Our incident response retainers are available in three tiers. We pride ourselves in providing the highest level of service, regardless of the tier chosen. We apply what we believe to be three essential qualities across our incident response retainer tiers; fast, effective and expert.

What are the benefits?

  • Rapid and effective response to reduce the impact of a cyber security incident.
  • Understanding of your organisation across technical, strategic, legal and crisis management priorities. 
  • Customisable service agreements to suit your business requirements. 
  • Availability of relevant documentation and data to demonstrate compliance to stakeholders and regulators. 
  • Rapid access to a wide-range of cyber security, forensic, business advisory and legal experts – all of whom are experienced in working closely together in times of crisis.

View more

Incident readiness

We provide a range of services to help businesses improve their own state of readiness and ability to respond to all types of cyber threats:

  • Playbook development - Step by step technical and management guidelines for specific incident types, including workflows, roles of key personnel and action plans.
  • Forensic readiness - We help you to have the right data available and accessible to thoroughly investigate an incident and inform a containment strategy.
  • First responder training - Preparing your technical teams to make critical decisions within the first 48 hours of an incident, including how to monitor and contain an incident
  • Crisis simulation - A tailored exercising programme to ensure all teams in your response structure are ready to put your crisis framework and playbooks into action.
  • Crisis framework - After evaluating your existing crisis management procedures, we help you develop a set of guidelines to enable an appropriate response to crisis events with minimum disruption to business.
  • Threat modelling - Assessing the security of your information assets to help you identify vulnerabilities and understand how relevant threats would navigate your infrastructure to achieve their objective.
  • Breach readiness assessment - Helping you to understand your level of legal preparedness to respond to a personal data breach.
  • Threat profiling - Identifying the real-world threats you face, enabling you to tailor your preparation efforts appropriately.

What are the benefits?

  • Helps organisations to minimise the financial, reputational and operational impact of the breach.
  • Teams involved are able to confidently and effectively respond to an incident.
  • Security and risk teams have the information and documentation needed to notify regulators and stakeholders in a timely but controlled manner.
  • You have a clear understanding of threats facing your business so preparedness efforts can be tailored accordingly.

View more

Post incident review

An independent end-to-end evaluation of an organisation’s response to an incident, from root-cause analysis to evaluating the effectiveness of stakeholder and legal management.

Root-cause analysis – Understanding why this happened

  • An analysis of an organisation’s network environment and infrastructure.
  • Interviews with key IT stakeholders to document the facts of the incident.
  • Preservation and analysis of forensic images or ‘snapshots’ of relevant systems and any log or firewall data.
  • Interrogation of log files, system data and incident tickets or logs to establish all of the facts and timelines of the incident.

Incident response and management review 

  • Evaluating the effectiveness of the response to and management of the incident from both a technical and business perspective and plans, procedures and tools used to respond to the incident.
  • Evaluation of the effectiveness of stakeholder and legal management.

What are the benefits?

  • Allows organisations to understand why an incident happened and how they can be better prepared in the future.
  • Lessons learned from post-incident reviews act as significant catalysts for change in the organisation’s security culture, behaviours and processes.
  • Provides an opportunity to assess the efficacy of both organisational and security controls in place to prevent, detect, mitigate, contain and recover from incidents.
  • Provides concrete lessons and recommendations for improving incident management.

View more

Why choose us as your cyber incident response partner?

Rated by Forrester as a leader in the Forrester Wave™: Digital Forensics and Incident Response service providers, Q3 2017.

We are one of only a few firms that are certified by the National Cyber Security Centre’ Cyber Incident Response (CIR) scheme to respond to sophisticated attacks on networks of national significance.

As well as a depth of technical knowledge, we understand the business, legal and regulatory context that underpins your operations.

We have provided digital forensics and incident response services in the UK since 1998.

Certified by CREST, the industry body for technical cyber security, to deliver cyber incident response services.

“PwC very clearly outlines not only its incident triage and escalation processes, but also its customer journey for incident readiness to help customers prepare for crisis”

The Forrester Wave™: Digital Forensics and Incident Response service providers, Q3 2017

How have we helped clients?

Our market-leading cyber incident response team has successfully provided these services to clients at various levels of maturity and across multiple industries, founding lasting relationships based on trust.

Recent examples include:

  • Helping a major legal firm to regain its business operations and mitigate the loss of data after a global attack crashed all the computers on their network, sending employees home and grinding their business to a halt.
  • Containing and removing a previously unknown state-sponsored threat actor from a client’s network, having identified how and when the attacker compromised their network.
  • Determining how a cyber attacker compromised customer accounts from at a global wealth management organisation before helping them to assess the legal risk from a privacy breach notification standpoint. This was followed up with tactical and strategic recommendations to more effectively detect and respond to cyber attacks.


Follow us

Required fields are marked with an asterisk(*)

By submitting your information, you acknowledge that we may send you business insights that we consider relevant to your interests. Please see our privacy statement for details of why and how we use personal data and your rights (including your right to object and to stop receiving marketing communications from us). To stop receiving marketing communications from us, click on the unsubscribe link in the relevant email received from us or send an email to

Contact us

Kris  McConkey

Kris McConkey

Cyber Threat Operations Lead Partner, PwC United Kingdom

Tel: +44 (0)7725 707360

John Corcoran

John Corcoran

Incident Response - Senior Manager, PwC United Kingdom

Tel: +44 (0)7483 416648