SAN FRANCISCO — To be cyber resilient, risk managers should update their incident response plans to reflect the onslaught of ransomware and other emerging threats, experts say.

Many organizations developed their plans several years ago, often at the behest of their legal departments, which saw states enacting data breach notification laws, said Katherine Keefe, Marsh LLC’s Philadelphia-based cyber incident management leader for the U.S. and Canada.

She was among speakers during a session Tuesday on cyber resilience at the 2022 Risk & Insurance Management Society Inc.’s annual conference in San Francisco.

These days, with attacks often involving encrypting data coupled with data infiltration, incident plans need to be more sophisticated, she said. “Truly, you need to refresh it if a plan exists,” or create one if there’s not one in place, Ms. Keefe said.

Developing incident response plans is challenging because of the complexity involved, said Laura Meade, director, risk management, at Telephone and Data Systems Inc. in Chicago.

“The role of a risk manager is to pull folks together and get that buy-in. That is your job, to get people to understand what is important and what you potentially lose if you don’t handle an incident properly,” she said.

Ms. Keefe said, “One of the problems that need correction is, sometimes incident response plans sit within IT exclusively,” and IT often responds to issues from a technical point of view.  Instead, there should be a multidisciplinary approach that involves other stakeholders, she said.

The claims process after cyber incidents was also discussed.  It “can be a very collaborative experience,” said Meredith Schnur, New York-based managing director, U.S. and Canada cyber brokerage leader, at Marsh USA Inc., who moderated the session. Many people mistakenly approach it as if “it needs to be adversarial in some way,” she said.

Ms. Keefe said that because the vendor landscape changes continually, it is important to keep a current list of providers.

One area that “needs a lot of tire-kicking,” she said, is extortion services, where there is a “world of nuances.” Some providers only offer extortion services, while others include forensics.

“Don’t assume one case fits all,” Ms. Meade said.

She said she has worked with one vendor for cases involving the Health Insurance Portability and Accountability Act of 1996, but “I don’t want them anywhere near a ransomware or even a normal data breach.”