You may have noticed 2016 was quite the busy year for IT regulatory compliance. OK, that’s probably a bit of an understatement.
Last year saw the release of Appendix E on Mobile Financial Services, the new InTrex exam format, the updated Information Security Handbook, and the promise of more to come in 2017. With this plethora of information being directed at financial institutions (FIs), I wanted to take this opportunity to highlight one particular factor that is already coming under examiner scrutiny-incident response. I have written about incident response a couple of times in the past. In fact, in my previous blog I provided some best practice items for FIs to consider in their Incident Response Plans. But with increasing attention on this subject, I think it is necessary we re-visit a couple of established incident response standards and acknowledge a new best practice.
Incident Response Plan Testing. I have talked about it before and I will continue to talk about this (it is a soap box of mine). Both the 2016 edition of the Information Security Handbook and InTrex exam format place emphasis on the criticality and necessity of testing. My team has spoken with numerous institutions who have stated that examiners had honed in on their testing efforts. And many of those FIs had gone years, and completed several exams, without testing their plan. But this is no longer seen as acceptable. If testing is something your institution has not done in the past, or maybe just not on a regular basis, I encourage you to do so. Testing your Incident Response Plan will only serve to improve your plan and your response efforts. On a side note, I have heard some FIs state that going through an actual incident was their “test.” While there are undoubtedly valuable lessons to be learned from an actual incident, it’s not a proper testing exercise. As you update your plan each year, it is vital that you test your plan to ensure it will work as expected and that your Incident Response Team members know their responsibilities and can coordinate as a Team. Waiting until a real incident to discover that your plan is not sufficient or that your Team members cannot carry out their roles is not an ideal scenario.
We have all heard so much about information sharing the past couple of years. And while it is not a new concept, its importance as a component of incident response has recently emerged. The Information Security Handbook from 2006 did include details on how, after an incident, FIs should share what they have learned with appropriate ISAC groups. But prior the FFIEC’s 2014 statement encouraging FIs to join information sharing groups, I do not think most FIs had heard much about these groups as a part of incident response efforts. However, the growing impact of cybersecurity and importance of cyber resiliency, has brought to light the significance of sharing information gleaned and experiences learned from incidents. And keep in mind, the FFIEC has stated that it is not enough just to gather information from these sources, institutions must also share their knowledge. Your FI’s experiences and insights could help prevent or limit the same incident at another institution. So, if you are not already, consider making information sharing part of your post incident activities.
Ransomware has been everywhere in the media and for good reason. For 2015 the Internet Crime Complaint Center (IC3) reported more than $18 million in losses related to just one strain of ransomware. For FIs, ransomware can not only damage your bottom line, but it can also cost you your reputation and critical data. So it is important to understand that there are unique considerations that must be taken into account for ransomware. In years past I have seen examiners request to see specific response procedures for scenarios such as Corporate Account Takeover and DDoS attacks. Why? As these types of attacks became more prevalent concerns for FIs, there were unique factors related to them that influenced response efforts. Now similar expectations are beginning to emerge for ransomware. As you update your plan, I encourage you to incorporate response strategies specific to ransomware, including determining the strain, tools available to your FI, and evaluating your response options (paying the ransom versus not paying).
Incident response efforts and plans are finally beginning to receive the attention they have long deserved. This of course is due largely to the impact of cybersecurity. The new guidance and InTrex exam format that were released in 2016 have only served to re-emphasize this importance. The next time your FI prepares to revise your Incident Response Plan, I encourage you to re-visit standards such as testing and information sharing and be cognizant of new best practices.
Jennifer Roland-Vlach is a Compliance Analyst for Gladiator Compliance Services.