Many companies recognize that an effective incident response plan can go a long way towards mitigating the consequences of cybersecurity incidents. However, they often make simple mistakes in implementing these plans, largely because they lack a comprehensive strategy to combat persistent cyber threats. In this final segment of our three-part series on the topic, we explore common deficiencies in response plans, challenges companies face when implementing a plan, how to use metrics to troubleshoot and advocate for plan resources, and estimated costs associated with investigating and remediating the inevitable breach. The article features exclusive and in-depth advice from a range of top experts, including consultants, in-house and outside counsel. Part two set forth seven key components of a robust incident response plan. Part one covered the types of incidents the plan should address, who should be involved and critical first steps to take in developing the plan, including references to sample plans and practical resources. See also “Minimizing Breach Damage When the Rubber Hits the Road” (Feb. 3, 2016).