Is your financial institution (FI) prepared to address and analyze future incidents? After all, it's no longer a matter of whether your FI will face risk-related incidents—it's a question of when.
The key to minimizing damage and ensuring quick recovery lies in a strong, adaptable incident response plan. Is your FI's incident response plan up to the challenge? Are you taking all the necessary steps to stay ahead of emerging threats? Should you adjust your current plan? Keep these questions in mind as we explore how to safeguard your institution with an effective incident response plan.
An incident is any event, external or internal, that disrupts a financial institution's operations, data, financials, clients, reputation, or regulatory standing. Examples of incidents include natural disasters like tornadoes, fires, and floods, as well as security threats like a gunman in or near the branch.
Incidents can involve data theft, such as unauthorized individuals entering the branch and potentially stealing sensitive information, or digital breaches, such as cyberattacks. Fraud, criminal activity, and system outages are also examples of incidents.
Depending on the scope of an incident, it can affect the institution, its customers or members, and/or its employees. Financial institutions don’t want to be left scrambling to respond when there’s a business disruption. Advanced planning and testing of the plan is essential to responding quickly and effectively.
Regulatory bodies also have specific requirements when it comes to the implementation of effective incident response plans.
According to a 2021 interagency rule from the Office of the Comptroller of the Currency (OCC), the Federal Reserve Board, and the Federal Deposit Insurance Corporation (FDIC), banks are required to notify their regulators "as soon as possible and no later than 36 hours after the bank determines that a computer-security incident that rises to the level of a notification incident has occurred.” The Federal Financial Institutions Examination Council (FFIEC) also outlines requirements for incident response plans, including specifics on preparation and testing, in its Information Technology Examination Handbook. Most recently, the National Credit Union Association (NCUA) released a letter outlining new requirements for notifying the NCUA about cyber incidents within 72 hours of a credit union being made aware of a potential incident. Some states also have notification requirements after a cyber incident. These are in addition to business continuity management requirements.
While many FIs, if not most, recognize the impact of incidents on their organization's security and regulatory status, they may not have an updated, tested incident response plan in place.
Incident response plans can differ depending on the organization's goals, size, and resources. While every FI's incident response plan will look slightly different, many (if not all) of these components should appear on your FI's incident response plan checklist.
It's better to be safe than sorry, and one simple but effective way for FIs to prepare for a variety of incidents is through tabletop testing. Tabletop exercises are simulated incidents that determine how well your plan helps you respond to an event.
Conduct tabletop testing and functional exercises to ensure the effectiveness of your incident response plan and identify any issues that need to be addressed.
Every organization's incident response team (IRT) will look different depending on available resources, but it is ideal to assign a dedicated incident response manager to oversee the process and ensure that roles and responsibilities are clearly defined.
A manager doesn’t need specific technical knowledge of firewalls and information technology (IT). Instead, they should be comfortable taking on a project manager role, be highly organized, and possess strong communication skills.
The communication process can begin once the incident response team (IRT) and appropriate parties have been notified.
Develop a communication plan to relay information to customers, members, consumers, employees, regulators, law enforcement, and the public (if needed). Include internal and external communication procedures and messaging scripts.
While certain plan components, such as communication with regulators and consumers, are essential for compliance, FIs should tailor their plans to fit their institution’s unique needs.
What does your FI do after an incident? Is it business as usual, or do you implement what you have learned?
Postmortem analysis is a crucial part of an incident response plan. Update your risk assessments to determine necessary control fixes and conduct a gap analysis to identify unexpected events during the incident. Make necessary adjustments to policies and procedures to prevent unforeseen events from occurring in the future. A comprehensive findings solution can help consolidate your findings from postmortem analyses, compliance reviews, exams, and audits in one place.
By understanding what qualifies as an incident and having a comprehensive plan, FIs can minimize the impact of incidents on their operations, customers and members, and employees. Incident response planning takes time, but being prepared and having the resources to address and mitigate incidents quickly can make a significant difference when it matters most.
For more information on the components of the incident response plan—including best practices from our team's compliance, business continuity, and ERM experts—see our Incident Response Plan Checklist.