Its year-end and time once again to review the Cyber-security plan and Incident Response strategy. Certain steps will help make the cyber threat
response plan more effective whether you’re drafting the plan for the first
time or conducting a review to improve it.
Importance of an effective incident response strategy
The Cybersecurity Incident Response Plan becomes part of the
Cybersecurity policy and outlines steps the firm will take when a risk or
threat is discovered. All fund managers, investment firms, and securities
brokerages are expected to have this policy in place, as it outlines what the
firm is doing to minimize the risk of threats, and how it intends to administer
response in the event of a breach. Firms are also expected to fully track and
document their response steps, and fully disclose damage done, costs, and
recovery procedures.
In order to develop a strong Cybersecurity IRP, an
assessment of existing capabilities and threats is needed. SEC’s Office of Compliance
Inspections and Examinations (OCIE) tells us what they expect in a sound plan.
OCIE Examiners will focus on and scrutinize areas of;
governance and risk assessment, access rights and controls, data loss
prevention, vendor and third party management, and incident response.
Specifically, examiners will review whether established policies, assigned
roles, system assessments, and plans to address events are sound. Examiners are
keenly concerned about risk and handling of Personally Identifiable Information
(PII).
Develop an Incident Response Team (IRT)
For most firms, containment and investigation of an incident
requires a team effort with multiple departments involved. Depending on the
size and structure of the firm; employees and service providers are assigned
specific tasks to address various types of foreseeable incidents. The IRT
leaders take responsibility as first responders and ensure initial tests outlined
in the Response Plan are conducted. Therefore, it’s important that team members
meet regularly to evaluate testing procedures and threats.
The Plan
Elements of the plan should include a list of critical contacts
and resources. Essential contact information and resources should be readily
accessible to persons responsible for activating critical resources in response
to an incident. Contacts and information included may encompass forensic
experts, legal counsel, insurance policy, data breach experts, notification
services, press and media contacts.
Data breach experts recommend using an incident risk matrix
to categorize risk levels between low, medium, and high. It’s a good policy to
define “triggers” in the plan to help determine if an incident should be
escalated to the next level. Escalation tends to be a key area where managers
and first responders carry a level of uncertainty. For instance, a lost file
with a single client or employee record may be medium to low risk. However, such
an event could be classified as high risk requiring immediate action if it is a
starting point for a greater threat. Triggers and matrices help IRP responders
determine whether a threat should be escalated.
Upon discovery or notification of a threat or attack, log
the following information:
- Name and Contact of person making the notification
- Date and Time of notification
- Date and Time Incident occurred (if known)
When investigating the incident, key elements to log include:
- Source of the attack
- Systems accessed
- Information extracted or compromised
- Security of sensitive client or firm information
- Notification to Impacted Parties
The standards for notifying victims in the event of a breach
can vary. State and federal laws differ, as do regulation governing financial
industry sectors. When developing the IRP consider the regulatory standards and
add additional layers of notification as deemed necessary. Firms should be
aware the window for notification generally starts at the time an incident is
first discovered.
Ease workload. Create notification templates covering
various situations and make them readily available as part of the IRP. In event
of an incident, the templates are used to communicate with clients, employees,
service providers, and media relations. Take precaution when considering data
security upon sending out communication; ensure the delivery method doesn’t
further compromise PII (personally identifiable Information). Also, determine
if clients and employees may need additional resources to mend damage.
Documentation and Regulation
The SEC will ask for documentation about incidents including losses incurred, cost of mitigation, along with circumstances and facts. The effectiveness of the IRP includes how well the documentation stands up under examination.
Investigators often request various computer data logs and files
pertaining to devices impacted and servers compromised. They may also look at
employee communication, corrective actions taken, notifications, and the
overall response of the IRT (Incident Response Team).
Include in the response; details about containment such as a
factual description of the incident, preliminary risk assessment, and
monitoring conducted after the incident was contained.
Cybersecurity incidents are an ever evolving threat where
attackers continually find inventive ways to do harm. Prevention is a strong
form of protection, but not likely to be a solution in every situation.
Preparation in advance gives firms the support plan they need to minimize risk
and react swiftly.
To learn more about #cybersecurity #governance, Register for our free webinar December 6, 2016.
RND Resources assists Broker-dealer firms, Fund Managers,
and RIAs with cybersecurity #assessment and planning solutions.
Visit our website for more information, upcoming training events, gap analysis
worksheets, and emerging trends in cybersecurity as it pertains to Financial
Service firms. www.finracompliance.com