Incident Response Plans: What Every Small or Mid-Sized Virginia Business Should Have

Incident Response Plans: What Every Small or Mid-Sized Virginia Business Should Have

Cybersecurity & Privacy By Valley Legal

General Information Only. This article is for general informational purposes and does not constitute legal advice. Laws may have changed since publication. Your situation may differ; consult a licensed Virginia attorney about your specific matter.

The information in this article is for general informational purposes only and does not constitute legal advice. Laws change and individual circumstances vary. Consult a licensed Virginia attorney about your specific situation. Reading this article does not create an attorney-client relationship nor does merely contacting our office through this website or any other means.

Many small and mid-sized businesses in Virginia treat cybersecurity planning as something to get to after the immediate demands of running the business. An incident response plan is easy to defer when nothing appears to be wrong. The problem is that when something does go wrong, the absence of a plan becomes immediately apparent and costly.

A data breach, ransomware attack, or unauthorized access incident creates decisions that need to be made quickly, often under stress, by people who may never have dealt with a cyber incident before. Without a documented plan, those decisions are improvised. Improvised responses to cyber incidents tend to be slower, more expensive, legally riskier, and less effective than planned ones.

This article describes what an incident response plan is, what it should contain, and how Virginia businesses can build one proportionate to their size and resources.

What an Incident Response Plan Is

An incident response plan (IRP) is a documented set of procedures that guides an organization through the process of identifying, containing, eradicating, and recovering from a cybersecurity incident, and then conducting a review to improve future preparedness. It is not a technical document written only for IT staff. It is an operational document that identifies who does what, in what order, when an incident occurs.

A plan that exists only in the heads of your IT staff, or that was drafted and never updated, provides limited protection. The value of an IRP is that it can be executed by people under pressure who may not have encountered this situation before, because the decisions have already been made and documented in advance.

The Six Phases of Incident Response

The National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0 and its companion Incident Response Guide describe incident response as a cyclical process with several key phases. Most incident response plans are organized around a similar structure.

Phase 1: Preparation

Preparation is the work that happens before an incident occurs. It includes:

  • Identifying critical assets: What systems, data, and operations does your business depend on? What would be the impact if they were unavailable for 24 hours, one week, or longer?
  • Establishing roles and responsibilities: Who is responsible for declaring that an incident has occurred? Who coordinates the technical response? Who communicates with leadership, customers, regulators, and the press?
  • Building your response team contact list: Your IRP should contain current contact information for internal response team members, your IT or managed service provider, legal counsel, your cyber insurer, and a forensics firm you have vetted in advance.
  • Implementing baseline security controls: An IRP cannot substitute for security controls. Preparation also means ensuring you have logging enabled, backups tested, and detection capabilities in place.

Phase 2: Identification

Identification is the process of determining whether an observed event constitutes an incident and, if so, what kind. This phase involves:

  • Triaging alerts and reported anomalies to distinguish actual incidents from false positives
  • Categorizing the incident by type (ransomware, phishing-initiated credential theft, unauthorized access, data exfiltration) and severity
  • Preserving initial evidence including system logs, endpoint telemetry, and user reports before they are overwritten
  • Beginning documentation with a written log of all actions taken, decisions made, and information gathered from the moment of detection

Phase 3: Containment

Containment stops the spread of the incident without destroying evidence. Your IRP should distinguish between:

  • Short-term containment: Immediate steps to prevent the incident from spreading, such as isolating a compromised system from the network or disabling a compromised account
  • Long-term containment: Steps to allow operations to continue on unaffected systems while affected systems are investigated and remediated

A critical point: containment must be balanced against evidence preservation. Wiping an infected system before forensic analysis is complete destroys evidence that may be needed to determine the scope of the breach, the attacker’s method of entry, and whether data was exfiltrated.

Phase 4: Eradication

Eradication removes the threat from your environment. This includes:

  • Removing malware from affected systems
  • Disabling compromised accounts and resetting credentials
  • Identifying and patching the vulnerability that was exploited
  • Verifying that the attacker no longer has access to any system

Eradication should not begin until the full scope of the incident is understood. Attempting to eradicate a threat while the investigation is incomplete may result in missing attacker persistence mechanisms, such as backdoors or additional compromised accounts.

Phase 5: Recovery

Recovery involves restoring affected systems and operations. This phase includes:

  • Restoring systems from clean backups
  • Monitoring restored systems closely for signs of re-compromise
  • Communicating with stakeholders about the status of recovery
  • Resuming normal business operations in a phased and controlled manner

Recovery also includes fulfilling legal notification obligations. Virginia Code § 18.2-186.6 requires notification of affected individuals within 60 days of discovering a breach that has caused or is reasonably believed to have caused identity theft or other financial harm. If the breach affects more than 1,000 Virginia residents, written notification to the Virginia Attorney General is also required.

Phase 6: Lessons Learned

After the incident is resolved, conduct a structured review with everyone involved in the response. This review should document:

  • A timeline of the incident from initial access through resolution
  • What the response team did well
  • What should be done differently next time
  • What security improvements should be implemented to prevent recurrence

Lessons learned documentation is valuable for improving your security posture and for demonstrating to regulators and insurers that you have a mature response process.

Roles and Responsibilities

Every IRP should designate named individuals and their backups for key roles, including:

  • Incident Commander: The person who leads the overall response and coordinates among technical, legal, communications, and business functions
  • Technical Lead: The person (or team) responsible for the hands-on investigation and remediation
  • Legal Counsel: Your attorney, who advises on notification obligations, privilege strategy, and regulatory reporting
  • Communications Lead: The person responsible for external communications, including customer notifications, media inquiries, and regulatory correspondence
  • Executive Sponsor: A member of leadership with authority to approve significant decisions, such as taking systems offline or paying a ransom

For small businesses where one person wears several hats, the IRP should be clear about which role takes priority in a conflict and who covers each function if a key person is unavailable.

Tabletop Exercises

An untested incident response plan may fail when it matters most. Tabletop exercises are structured simulations in which your response team works through a hypothetical incident scenario to practice decision-making and identify gaps in the plan.

A basic tabletop exercise might present a scenario such as: an employee reports that their computer is displaying a ransomware demand, and walk participants through the decisions the plan calls for, asking where the plan is unclear, what information is missing, and what obstacles would arise in practice.

Tabletop exercises do not need to be elaborate. A half-day exercise conducted once a year with your core response team, including your IT provider, legal counsel, and key managers, can reveal significant gaps and build familiarity with the plan before an actual incident.

Alignment with Cyber Insurance

Your cyber insurance policy and your incident response plan must be aligned, because the insurer’s requirements will affect how you respond to an incident.

Most cyber policies specify:

  • Which vendors you must use for forensics and breach notification services, or how you obtain insurer approval to use others
  • How quickly you must notify the insurer of a potential claim
  • What documentation you must preserve and submit
  • What expenditures require pre-approval

Before finalizing your IRP, review your cyber insurance policy and ensure that the plan reflects the insurer’s notification timelines and vendor requirements. An IRP that calls for engaging a forensics firm that is not on your insurer’s approved vendor list could create coverage complications.

When to Call Your Attorney vs. IT vs. Your Insurer

The sequence of calls after discovering an incident matters. A practical sequence for most Virginia businesses:

  1. Contact your IT provider or internal IT team to begin immediate containment steps
  2. Contact your attorney early, before significant investigation work is done, to establish privilege protections over the investigation
  3. Contact your cyber insurer, as required by your policy, often within 24 to 72 hours of discovering a potential incident
  4. Engage forensics through or under the direction of legal counsel, using insurer-approved vendors where applicable

This sequence is not absolute. If systems are actively being destroyed or data is actively being exfiltrated, technical containment steps take priority. But the legal and insurance notifications should follow as quickly as possible.

For businesses throughout the New River Valley, including those in Christiansburg, Radford, and Floyd County that may be handling an incident for the first time, having these contacts identified in advance and these decisions already made removes significant cognitive load from a high-stress situation.

This article is general information only and is not legal advice. Do not rely on this article to make decisions about your specific situation. Contact Valley Legal or another licensed Virginia attorney to discuss your case. Attorney advertising.

Valley Legal, PLLC is located at 107 Pepper St SE, Christiansburg, Virginia 24073, and serves clients throughout the New River Valley of Virginia, including Montgomery County, Blacksburg, Radford, Pulaski, and surrounding communities.