Nearly every company will at some point face a successful cyber attack. Accordingly, regulators, insurers, auditors, and investors view an incident response plan (“IRP”) as a key element of a reasonable cybersecurity program. In this Debevoise Data Blog post, we discuss: IRP regulatory requirements; the value of IRPs to assist in meeting breach notification deadlines (which are shrinking); why many IRPs need to be updated; tips for improving the effectiveness of IRPs; and, for many U.S. banks, modifying IRP to meet the new 36-hour breach notification rule.