The Cybersecurity Incident Response Plan becomes part of the Cybersecurity policy and outlines steps the firm will take when a risk or threat is discovered. All fund managers, investment firms, and securities brokerages are expected to have this policy in place, as it outlines what the firm is doing to minimize the risk of threats, and how it intends to administer response in the event of a breach. Firms are also expected to fully track and document their response steps, and fully disclose damage done, costs, and recovery procedures.
In order to develop a strong Cybersecurity IRP, an assessment of existing capabilities and threats is needed. SEC’s Office of Compliance Inspections and Examinations (OCIE) tells us what they expect in a sound plan.
OCIE Examiners will focus on and scrutinize areas of; governance and risk assessment, access rights and controls, data loss prevention, vendor and third party management, and incident response. Specifically, examiners will review whether established policies, assigned roles, system assessments, and plans to address events are sound. Examiners are keenly concerned about risk and handling of Personally Identifiable Information (PII).
Develop an Incident Response Team (IRT)
For most firms, containment and investigation of an incident requires a team effort with multiple departments involved. Depending on the size and structure of the firm; employees and service providers are assigned specific tasks to address various types of foreseeable incidents. The IRT leaders take responsibility as first responders and ensure initial tests outlined in the Response Plan are conducted. Therefore, it’s important that team members meet regularly to evaluate testing procedures and threats.
Elements of the plan should include a list of critical contacts and resources. Essential contact information and resources should be readily accessible to persons responsible for activating critical resources in response to an incident. Contacts and information included may encompass forensic experts, legal counsel, insurance policy, data breach experts, notification services, press and media contacts.
Data breach experts recommend using an incident risk matrix to categorize risk levels between low, medium, and high. It’s a good policy to define “triggers” in the plan to help determine if an incident should be escalated to the next level. Escalation tends to be a key area where managers and first responders carry a level of uncertainty. For instance, a lost file with a single client or employee record may be medium to low risk. However, such an event could be classified as high risk requiring immediate action if it is a starting point for a greater threat. Triggers and matrices help IRP responders determine whether a threat should be escalated.
Upon discovery or notification of a threat or attack, log the following information:
- Name and Contact of person making the notification
- Date and Time of notification
- Date and Time Incident occurred (if known)
When investigating the incident, key elements to log include:
- Source of the attack
- Systems accessed
- Information extracted or compromised
- Security of sensitive client or firm information
Notification to Impacted Parties
The standards for notifying victims in the event of a breach can vary. State and federal laws differ, as do regulation governing financial industry sectors. When developing the IRP consider the regulatory standards and add additional layers of notification as deemed necessary. Firms should be aware the window for notification generally starts at the time an incident is first discovered.
Ease workload. Create notification templates covering various situations and make them readily available as part of the IRP. In event of an incident, the templates are used to communicate with clients, employees, service providers, and media relations. Take precaution when considering data security upon sending out communication; ensure the delivery method doesn’t further compromise PII (personally identifiable Information). Also, determine if clients and employees may need additional resources to mend damage.
Documentation and Regulation
The SEC will ask for documentation about incidents including losses incurred, cost of mitigation, along with circumstances and facts. The effectiveness of the IRP includes how well the documentation stands up under examination. Investigators often request various computer data logs and files pertaining to devices impacted and servers compromised. They may also look at employee communication, corrective actions taken, notifications, and the overall response of the IRT (Incident Response Team).
Include in the response; details about containment such as a factual description of the incident, preliminary risk assessment, and monitoring conducted after the incident was contained.
Cybersecurity incidents are an ever evolving threat where attackers continually find inventive ways to do harm. Prevention is a strong form of protection, but not likely to be a solution in every situation. Preparation in advance gives firms the support plan they need to minimize risk and react swiftly.
#cybersecurity #cyberplan #riskandgovernance #webinar
Learn more about cybersecurity governance. Register for our free webinar December 6, 2016.
RND Resources assists Broker-dealer firms, Fund Managers, and RIAs with cybersecurity assessment and planning solutions. Check our website for more information, upcoming training events, gap analysis worksheets, and emerging trends in cybersecurity as it pertains to Financial Service firms. Find out more about Cybersecurity services at RND Resources.