CSI’s recent Consumer Cybersecurity Poll surveyed more than 2,000 Americans to uncover their top cybersecurity concerns related to their personal confidential data. The results reveal that nearly half of consumers (48%) strongly or somewhat agree they would leave their financial institution if it suffered a data breach.
Further, 59% of respondents in the 35-44 age range would leave their institution after a breach. Considering that 54% of consumers with an annual household income of $100,000 or above also agreed, institutions should take notice, as these important demographics could represent a significant market opportunity.
How would losing nearly half of your client base—including high income earners—affect your institution? Reassuring your customers or members that your institution can survive a cyberattack is critical and depends on your preparedness, which goes beyond preventative measures. It also includes planning for exactly how you will respond to a cyberattack, making an Incident Response Plan (IRP) key to your survival.
What is an Incident Response Plan (IRP)?
According to the Federal Financial Institutions Examination Council (FFIEC), an IRP is “a plan that defines the action steps, involved resources and communication strategy upon identification of a threat or potential threat event.” To minimize damage to an institution’s customers or members, an IRP should include defined protocols for identifying and responding to an incident. In addition to a strong and regularly tested IRP, institutions should also have a strong incident response team. It’s critical that the team responsible for executing the plan know the procedures for notifying customers or members and communicating what steps are being taken to protect them.
Why Do You Need an Incident Response Plan?
The consensus among security experts is the growing inevitability that every organization will experience a cyberattack, likely sooner rather than later. Limiting the attack’s damage requires immediate action now (before the incident) and later (after the incident). To help facilitate this, financial institutions should develop robust processes to help protect the institution from financial, operational, reputational and other risks
In 2021, the FFIEC updated the 2004 Operations Booklet with the AIO Booklet, which places a stronger emphasis on institutions’ architecture, infrastructure and operations. This booklet provides significant updates to the guidance issued in 2004 and discusses the importance of event, incident and problem management.
Event management is the process used to track, detect and escalate issues that occur in the IT infrastructure. When an event causes a disruption to operations, it becomes an incident. The incident management process is implemented to identify, analyze and correct these disruptions, as well as prevent future recurrences with the goal of minimizing the disruption and restoring operations quickly. Finally, problem management is the process employed to manage the life cycle of an entity’s problems to prevent them from becoming incidents and reduce the impact of incidents that management cannot prevent.
The FFIEC guidance indicates that institutions should develop and implement plans for managing the events, incidents and problems. And these processes should be coordinated and included in the institution’s incident response program.
How to Create an Incident Response Plan: A Pre-Incident Checklist
The FFIEC Business Continuity Planning Booklet requires every financial institution to develop an IRP and integrate it into its business continuity plan (BCP). Take the time to compare your IRP with this checklist:
1. Identify and Allocate Appropriate Resources: This team should include appropriate internal representatives (i.e., those with the authority and skill to perform their designated role) from information technology and security, legal, compliance, operations, communications, training and any other area that would play a role in detecting, mitigating or recovering from a cyberattack.
There are several external resources that should be pre-emptively engaged in case of attack. Start with a cybersecurity forensics firm, one with the expertise to quickly diagnose the problem, halt the intrusion, preserve the evidence and restore business operations. Next, consider retaining a public relations firm that can help you develop post-incident messaging that will protect your legal position as well as your reputation. And don’t forget that your insurance company will play an important role after a cyberattack. Bring them in as part of your IRP team and discuss your liability policy’s coverage limits to determine if you need cyber insurance.
2. Understand Your Objectives and Identify Your Assets: The ultimate objective is business and data recovery, and organizations should begin by understanding requirements and objectives for the plan. Institutions should also ensure availability of resources to support the plan.
3. Develop a Clear Picture of Connectivity: All institutions outsource to third parties for efficiency. Remember that each of these connections provides a possible entry point for intrusion. Make sure your institution has identified everyone with whom it is interconnected and that it routinely reviews the need for that connection and limits privileges to only those that are needed.
4. Define “Incident”: Per NIST, an incident is “An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of a system or the information the system processes, stores, or transmits.” While an incident is most likely to be detected by technology staff, it can be detected by anyone at your institution, which is why it is critical that all employees know what constitutes an incident and how and where to report it.
5. Identify Most Likely Incident Scenarios: An IRP should identify the 10 to 20 most likely scenarios (e.g., ransomware, DDoS attack, account takeover, etc.) based on your institution’s specific situation and security posture. However, an institution’s plan should also be able to adapt to any unexpected scenarios that arise.
6. Create Specific Procedures: For each possible scenario, outline procedures for detecting and escalating the incident to the IRP team, and for containing that particular intrusion. Identify who will conduct the forensics investigation and note how evidence will be preserved. Then, describe recovery strategies that correlate with your recovery time objectives. Finally, make sure that all of these procedures are integrated into your BCP.
7. Train Responsible Staff: Anyone who will play a role in detecting, mitigating or recovering from a cyberattack should be trained on their specific responsibilities as outlined in your procedures. Given the rapid rate of change in the cyberworld, this is not a one-and-done exercise. Each update to your IRP should generate supplemental training.
8. Develop a Communication Plan: Identify who should be notified first of a cyberattack, such as the board, senior management and customer-facing employees. Identify when and how the rest of the organization will be advised of the situation. Know your federal and state notification requirements and account for them, and identify third-party vendors who could be affected by association. Finally, identify how and when you will communicate with customers. You can even go as far as preparing public statements in advance.
9. Test and Update the Incident Response Plan: Tyler Leet, CSI’s director of Risk and Compliance Services, describes two incident response simulation test methods, both of which involve collaboration with a third-party cybersecurity professional. A tabletop test presents the IRP team with various theoretical situations to which they apply the IRP procedures to assess effectiveness. In a functional test, a white-hat attack is launched to simulate a real attack and test your defenses and responses.
Leet notes that testing is the only way to know if your strategies will work during an actual incident. The results of your tabletop or functional test should be analyzed for lessons learned that should then be incorporated into your IRP.
Incident Response Plan Steps: A Post-Incident Checklist
Responding quickly but deliberately after an attack is crucial. Ensuring that your team is prepared to decisively act in the wake of a cyberattack will help you avoid that pitfall.
1. Activate the Plan: The moment an incident is detected and escalated, the IRP team, including the external resources identified beforehand, should be convened and the plan activated. This is also the time to notify your insurance company.
2. Assess and Contain the Incident: Get the forensics experts on site as quickly as possible so they can begin their work to assess breached systems and contain the incident. The nature and scope of the incident and the systems affected should all be identified through this assessment.
3. Identify and Eradicate the Source/Cause: Identifying the source of the incident is a critical step in the response process. Once the access point is identified, the organization should eliminate the unauthorized access and eradicate the cause.
4. Collect and Preserve Forensic Data: Don’t forget to preserve forensic data in the midst of recovery processes. The forensics team should securely duplicate affected systems to investigate the incident without interfering with the breach assessment.
5. Begin Recovery Procedures: Once containment is achieved, the IRP team should initiate the appropriate recovery procedures outlined in the plan. If warranted, don’t forget to file a Suspicious Activity Report based on FinCEN’s advisory outlining BSA obligations concerning cyberattacks.
6. Initiate Communication Plan: Begin initiating your communication plan as quickly as is legally and reasonably possible. An unexplained delay or concealment perceived by regulators, the media or consumers can significantly compound the original problem.
7. Analyze Effectiveness of IRP and Adjust: Once the dust settles, assess your response. Were the right internal and external resources in place? Did the forensics investigation uncover vulnerabilities that need to be addressed? Did you meet your recovery objectives? Were your communication efforts effective? Don’t wait for the next cyberattack; quickly adjust your IRP based on its performance.
An Incident Response Plan Makes Good Business Sense
Cybersecurity is not just a technology issue; it is a business issue. The 2021 Consumer Cybersecurity Poll Executive Report shows consumers’ perceptions of key issues and the potential repercussions of weak cybersecurity, including 59% of respondents in the 35-44 age range agreeing they would leave their institution after a breach.
In addition to preventative measures such as embracing a layered approach to cybersecurity, banks and credit unions must count incident response planning as a critical part of their cybersecurity efforts. Maintaining a tested IRP puts your institution in a stronger position to withstand the inevitable cyberattack.
Want more insight into how your institution can mitigate risk and empower consumers with education on top cybersecurity issues?
Steve Sanders serves as CSI’s chief information security officer. In his role, Steve leads CSI’s information security vision, strategy and program, and chairs the company’s Information Security Committee. Steve is a CISA, CRISC, CRMA, and CTGA, and he speaks regularly on information security, cybersecurity, IT and IT audit topics.