Can't help but agree but would say that is the absolute minimum you should do. I would even say hire a CISO to get your security policies in order and  bring in a CEH to regularly test the site/ related networks for vulnerabilities it may cost them but it is worth it in the long run as the damage done to a reputation due to an event like this is immense.