A Pre- and Post-incident Checklist for Banks
"Banking Trends through a Millennial Lens,” CSI’s recent generational banking study of more than 1,000 U.S. banking consumers, found that 60 percent of respondents have experienced fraudulent banking or credit card activity. That number will likely rise due to the Equifax breach that exposed 145.5 million identities. This is leading consumers to fear for their personal financial information and question the ability of financial institutions to protect them.
Assuring your customers that your institution can survive a cyberattack is critical – and depends on your preparedness, which goes beyond critical preventative measures. It also includes planning for exactly how you will respond to a cyberattack. Having an Incident Response Plan (IRP) in place is your institution’s key to survival.
In July, Digital Guardian highlighted IRP best practices from various cybersecurity professionals. The consensus among them and other security experts is the growing inevitability that every organization will experience a cyberattack, and likely sooner rather than later. Limiting the attack’s damage requires immediate action now (before the incident) and later (after the incident).
Pre-Incident Response Plan Checklist
The Federal Financial Institutions Examination Council's (FFIEC) Business Continuity Planning Booklet requires every financial institution to develop an IRP and integrate it into its Business Continuity Plan (BCP). To avoid the criticism Equifax is now facing, it’s time to compare your IRP with this checklist:
1. Identify and Allocate Appropriate Resources: This team should include appropriate internal representatives (i.e., those with the authority and skill to perform their designated role) from information technology and security, legal, compliance, operations, communications, training and any other area that would play a role in detecting, mitigating or recovering from a cyberattack.
Security experts also point to several external resources that should be pre-emptively engaged in case of attack. Start with a cybersecurity forensics firm, one with the expertise to quickly diagnose the problem, halt the intrusion, preserve the evidence and restore business operations. Next, consider retaining a public relations firm that can help you develop post-incident messaging that will protect your legal position as well as your reputation. And don’t forget that your insurance company will play an important role after a cyberattack. Bring them in as part of your IRP team and discuss your liability policy’s coverage limits to determine if you need cyber insurance.
2. Understand Your Objectives and Identify Your Assets: The ultimate objective is business and data recovery, but Doug Landoll, author and security professional, advises organizations to state their desired response and recovery time objectives specifically. Dr. Chris denHeijer, D.CS, professor of Management Information Systems at Colorado State University, says an IRP should clearly identify all assets, which means addressing network, computer and physical security in the plan.
3. Develop a Clear Picture of Connectivity: All banks outsource to third parties for efficiency. Just remember that each of these connections provides a possible entry point for intrusion. Make sure your institution has identified everyone with whom it is interconnected and that it routinely reviews the need for that connection and limits privileges to only those that are needed.
4. Define “Incident”: Private bank First Republic notes that “An incident can be detected by anyone with the right ‘visibility.’” The most likely is technology staff, but it could be anyone in your institution, which is why it is critical that all employees know what constitutes an incident and how and where to report it. Per the FFIEC, an incident is “the attempted or successful unauthorized access, use, modification, or destruction of information systems or customer data.”
5. Identify Most Likely Incident Scenarios: Landoll recommends that an IRP identify the 10 to 20 most likely scenarios (e.g., ransomware, DDoS attack, account takeover, etc.) based on your institution’s specific situation and security posture. Then, he says, “the IR plan can evolve and expand once it is in place to address unforeseen incidents.”
6. Create Specific Procedures: For each possible scenario, outline procedures for detecting and escalating the incident to the IRP team, and for containing that particular intrusion. Identify who will conduct the forensics investigation and note how evidence will be preserved. Then, describe recovery strategies that correlate with your recovery time objectives. Finally, make sure that all of these procedures are integrated into your BCP.
7. Train Responsible Staff: Anyone who will play a role in detecting, mitigating or recovering from a cyberattack should be trained on their specific responsibilities as outlined in your procedures. Given the rapid rate of change in the cyberworld, this is not a one-and-done exercise. Each update to your IRP should generate supplemental training.
8. Develop a Communication Plan: Identify who should be notified first of a cyberattack, such as the board, senior management and customer-facing employees. Identify when and how the rest of the organization will be advised of the situation. Know your federal and state notification requirements and account for them, and identify third-party vendors who could be affected by association.
Finally, identify how and when you will communicate with customers. You can even go as far as preparing public statements in advance. Frank Limpus, owner of a marketing communications firm, says that “Planning these statements without the pressure of a widely escalating situation is absolutely the best time to talk—and think—through everything that needs to be said.”
9. Test the Plan: Tyler Leet, CSI’s director of Risk and Compliance Services, describes two incident response simulation test methods, both of which involve collaboration with a third-party cybersecurity professional. A tabletop test presents the IRP team with various theoretical situations to which they apply the IRP procedures to assess effectiveness. In a functional test, a white-hat attack is launched to simulate a real attack and test your defenses and responses.
10. Update Plan Based on Test: Leet notes that testing is the only way to know if your strategies will work during an actual incident. The results of your tabletop or functional test should be analyzed for lessons learned that should then be incorporated into your IRP.
Post-Incident Response Plan Checklist
Responding quickly but deliberately after an attack is crucial. Equifax was criticized by security professionals and consumers for a slow and sloppy response. Ensuring that your team is prepared to decisively act in the wake of a cyberattack will help you avoid that pitfall.
1. Activate IRP Team: The moment an incident is detected and escalated, the IRP team, including the external resources identified beforehand, should be convened and the plan activated. This is also the time to notify your insurance company.
2. Assess the Incident: Robert Munnelly, who practices regulatory compliance law, stresses the importance of getting the forensics experts on site as quickly as possible so they can begin “establishing a secure perimeter around any equipment or systems believed to be part of a breach and taking potentially compromised systems off-line to avoid additional incursions.” The nature and scope of the incident and the systems affected should all be identified through this assessment.
3. Collect and Preserve Forensics Data: Don’t forget to preserve forensics data in the midst of recovery processes. Munnelly advises that the forensics team “make a secure copy of the affected systems so they can be fixed without compromising assessment of the manner of breach.”
4. Begin Recovery Procedures: Once containment is achieved, the IRP team should initiate the appropriate recovery procedures outlined in the plan. If warranted, don’t forget to file a Suspicious Activity Report based on FinCEN's advisory outlining BSA obligations concerning cyberattacks.
5. Initiate Communication Plan: “Remember the public will judge you by what you do and what you say,” Limpus says. Begin initiating your communication plan as quickly as is legally and reasonably possible. An unexplained delay or concealment perceived by regulators, the media or consumers can significantly compound the original problem.
6. Analyze Effectiveness of IRP and Adjust: Once the dust settles, assess your response. Were the right internal and external resources in place? Did the forensics investigation uncover vulnerabilities that need to be addressed? Did you meet your recovery objectives? Were your communication efforts effective? Don’t wait for the next cyberattack; quickly adjust your IRP based on its performance.
Incident Response Planning Makes Good Business Sense
Cybersecurity is not just a technology issue; it is a business issue. CSI’s generational banking study showed that robust cybersecurity has the power to attract customers, while weak cybersecurity can deter them: “47 percent of Gen X, 41 percent of Baby Boomers and 29 percent of Millennials say improved security measures and fraud protection would cause them to use their bank or credit union’s website or mobile app more frequently.”
In addition to preventative measures, banks must count incident response planning as a critical part of their cybersecurity efforts. Maintaining a tested IRP puts your institution in a stronger position to withstand the inevitable cyberattack.
Steve Sanders is vice president of Internal Audit for CSI. In his role, he oversees the evaluation and mitigation of risks associated with IT, financial and operational systems. Steve is a CISA, CRISC, CRMA, and CTGA, and he speaks regularly on information security, cybersecurity, IT and IT audit topics.