The Cybersecurity Incident Response Plan becomes part of the Cybersecurity policy and outlines steps the firm will take when a risk or threat is discovered. All fund managers, investment firms, and securities brokerages are expected to have this policy in place, as it outlines what the firm is doing to minimize the risk of threats, and how it intends to administer response in the event of a breach. Firms are also expected to fully track and document their response steps, and fully disclose damage done, costs, and recovery procedures.
In order to develop a strong Cybersecurity IRP, an assessment of existing capabilities and threats is needed. SEC’s Office of Compliance Inspections and Examinations (OCIE) tells us what they expect in a sound plan.
OCIE Examiners will focus on and scrutinize areas of; governance and risk assessment, access rights and controls, data loss prevention, vendor and third party management, and incident response. Specifically, examiners will review whether established policies, assigned roles, system assessments, and plans to address events are sound. Examiners are keenly concerned about risk and handling of Personally Identifiable Information (PII).