Incident Response Plans have been a critical component for financial institutions (FIs) for quite some time now.
The foundation was outlined as part of GLBA and guidance was later issued on the requirements for these response programs where customer information had been accessed. So this raises the question, if Incident Response Plans have been a necessity for so long, why do so many FIs continue to have ineffective plans in place? I can only speculate as to the reasons why; however, I do know that the expectations for Incident Response Plans are beginning to change. I have spoken with a number of institutions who have shared that their examiners are honing in on Incident Response Plans. With this increasing focus on plans, I want to share with you a few of the most critical pieces that I often see missing from Incident Response Plans.
First and foremost, decide who will be part of your Incident Response Team and clearly outline the responsibilities of these individuals. Your team should have representation from many areas within your FI and include Technology Service Providers if necessary. Keep in mind it is not enough just to have these responsibilities included in your plan. Ensure that your team members understand what their responsibilities will be and that they have become familiar with these expectations. You may want to consider including these responsibilities as part of your regular training efforts. No institution wants to find itself in the midst of an incident with a team that is unsure of steps they are supposed to take. Assigning these roles and responsibilities prior to an incident will help everyone to react in a more confident and efficient manner.
Two other vital pieces that you may want to incorporate into your Incident Response Plan are Corporate Account Takeover Procedures and DDoS Response Procedures. Having Corporate Account Takeover procedures in place is extremely important if your FI allows business customers to have online ACH origination and wire transfer capabilities. DDoS Response Procedures should address preventative measures, possible measures to take during an attack, and post DDoS attack steps. Ideally these procedures should also address DDoS attacks affecting your online banking services and vendor involvement during these situations. Corporate Account Takeover Procedures and DDoS Response Procedures are both items that I have seen examiners specifically ask for over the past year. In fact, this fits with the larger, more recent trend I have seen of examiners expecting to see more cyber scenarios referenced in Incident Response Plans and included in testing.
The final vital component of any solid and reliable Incident Response Plan is testing. Anyone who has worked with me on an Incident Response Plan knows that this is one of my soapboxes. In fact, I have written on this very subject in the past. But people still put up a fuss about having to test their plan, so I am going to keep up my campaign to stress the importance of it. Short of experiencing an actual incident where you have to implement your plan and can evaluate the effectiveness of it afterward, testing is the only way make sure your plan is going to work well. And honestly, who wants to have to go through an incident to find out if their plan works? Now examiners are beginning to place emphasis on testing as well. I have spoken with numerous FIs that have shared how examiners are asking if they have tested their Incident Response Plan (and Disaster Recovery/Business Continuity Plan). What is the driving force for all this recent attention? All the cybersecurity guidance and documentation. As we all know, the General Observations document and the Cybersecurity Assessment Tool both address testing. Actually, a whole section of Domain Five on the Assessment Tool focuses on testing. If you know that you need to test your Plan but are not quite sure on what kind of scenarios to use, consider revisiting a past incident or one experienced by another community FI. The FDIC also provides some cyber vignettes on their website that can be used as part of a table top test.
Having a robust and reliable plan is so essential to a successful response and with examiners and regulators putting more attention on Incident Response Plans, it is going to force some changes to take place. Hopefully the days of two paragraphs or one page Incident Response Plans will now be past us. Remember your plan must have all the necessary components so that your Incident Response Team will be able to follow it during an incident. And through your testing efforts, you will be able to ensure that your plan will function as needed.
No institution wants to experience an incident, but having a detailed and tested Incident Response Plan in place can help you make your response a much more effective and less stressful one.