News Detail Banner
All News & Events

Client Alert: Ransomware and Cyber Incident Response: Who to Call, What to Do

March 24, 2024

The year 2023 was unfortunately another growth year for cybersecurity attacks, including ransomware.  The attacks impacted everyone from members of Congress, to licensed drivers in Oregon and Louisiana, and the MOVEit Transfer attack alone was estimated by at least one source to have impacted over 1,000 companies and over 60 million individuals’ data.

With no reason to expect any slowing of the cyberattack trend in 2024, there are several steps organizations of all sizes can take with the goal of being ready to respond, however. These steps include:

Cybersecurity Monitoring.

A number of cyber incident expert services specialize in monitoring aimed at stopping cyberattacks in their infancy and allowing a response before they cause damage and disruption.  The best case scenario for those using these services is early detection.             

Incident Response Plan.

A coordinated, robust “Incident Response Plan” should include the organizational structure, lines of communication, protocols for identifying incidents, and protocols for containing them.  This plan should be prepared in advance and updated to stay current. 


Often the first call an organization will make after learning of an attack is to cyber-risk counsel.  Experienced counsel can assist with:

  • Preparing the company (and its officers) to defend against liability or penalties stemming from potential FTC enforcement, and/or proposed class actions filed by consumers and shareholders.
  • Determining what reporting obligations, if any, are triggered. All states have enacted legislation requiring notification of security breaches involving personal information. If the breach involves electronic personal health records, additional breach notification rules apply requiring notice to the federal regulators, and in some cases, the media.  Additional disclosure requirements may also apply depending on the type of company and size of the breach. For example, U.S. Securities and Exchange Commission rules now require public companies to file an Item 1.05 Form 8-K four business days after determining that a cybersecurity incident is material.
  • Coordinating reporting across jurisdictions, if reporting is required.
  • Advising on the legal risks of voluntary disclosure to users even if there is no legal obligation.
  • Reviewing and working with the organization’s cybersecurity insurer on coverage issues.
  • Determining if there are contractual disclosure requirements with the organization’s business partners.
  • Issuing take-down notices and enforcing intellectual property rights with respect to any stolen data that is leaked online.
  • Prosecuting civil claims against those liable for causing, contributing or benefitting from the breach, if applicable.
  • Working with law enforcement to report the attack and any attendant ransom demands or other illegal activity; and
  • Working on strategy on whether to pay a ransom. Companies should not comply with cyber-criminals’ ransom demands without first seeking legal guidance.

Assembling the Technical Response Team.

A technical response team will work to contain the breach, preserve and collect digital artifacts, conduct a forensic examination and plug the security holes, all while presenting a clear and calm message to stakeholders and the public.  

Internally, the incident response team may include employees with information security, information technology, operations, human resources, communications, investor relations, and management roles. 

However, even organizations with robust information technology and security teams will need “surge” assistance at the earliest phases of the incident response.  Outside experts are also necessary to give maximum credibility to an internal investigation. 

Cyber insurance policies may also include a panel of response companies the insured is required to engage for that purpose. 

Types of experts that may be used include:

  • Digital Forensics Experts—who can help determine the cause, source and scope of a breach, examine system data, user activity, and other digital artifacts to determine attack vectors, and find the evidence that might help to identity the threat actor/s. A forensic expert will help determine what data was accessed and if it contains reportable content.
  • Incident Response Experts—who can help contain, stop attacks that may still be in progress, patch vulnerabilities and prevent further attacks.
  • Ransomware Negotiation Consultants—experts who specialize in communicating with the cybercriminals for “proof of life,” negotiating ransom and facilitating payment. Negotiating with the criminal actors is not something that should be done without a well-thought-out plan and without involving experts.
  • Crisis Public Relations Consultants—any breach will generate attention, particularly if regulators begin investigating the matter or malicious hackers publicize it. PR firms can help create messaging. 

Next Steps.

For the reasons discussed, quickly hiring cyber incident counsel and experts (to the extent experts are not already on standby as part of a monitoring service) will be  critical first steps in responding to a ransomware incident or other cyber incident. 

These first steps will lay the groundwork for the additional work and response to be done, as the investigation and incident response proceeds. 



If you have any questions about the issues addressed in this memorandum, or if you would like a copy of any of the materials mentioned in it, please do not hesitate to reach out to:

Viola Trebicka
Phone: +1 213-443-3243

Jennifer English
Phone: +1 213-443-3686

Nathan Archibald
Phone: +1 801 515 7310

To view more memoranda, please visit
To update information or unsubscribe, please email