Cybersecurity has increasingly moved into the spotlight in recent years, with regulators and financial firms alike clambering to keep pace with rapidly changing demands as threats continue to evolve.

While much of the attention is justifiably focused on proactive prevention, equal emphasis must also be given to adequate reaction following a cyber incident. Increasingly, regulators are demanding companies have a detailed incident response plan (IRP) that is regularly practiced and updated on an ongoing basis. Such a plan is essential for clearly delineating responsibilities and processes for responding to a cyberattack, as well as proving to regulators and clients the firm has a plan to return to or maintain its normal operations in the event of a serious incident or breach.

Regulators are placing added emphasis on IRPs in their guidelines, tool kits and regulations. For example, when the New York Department of Financial Services (NYDFS) released its final cybersecurity rules for financial services companies in January, it required each covered entity's cybersecurity policy to include a written IRP that must be "designed to promptly respond to, and recover from, any Cybersecurity Event materially affecting the confidentiality, integrity or availability of the Covered Entity's Information Systems or the continuing functionality of any aspect of the Covered Entity's business or operations."

Similarly, the Securities and Exchange Commission (SEC) has long emphasized the importance of IRPs. In an April 2015 guidance, its Division of Investment Management stated that a cybersecurity strategy should include, among other elements, the development of an incident response plan. The agency's Office of Compliance Inspections and Examinations highlighted IRPs as an area of focus as part of its Cybersecurity Examination Initiative the same year, listing its inclusion of IRP reviews in OCIE examinations under "Key Takeaways" and indicating that examiners would review IRP integration into "regular personnel and vendor training."

Meanwhile, the Commodity Futures Trading Commission's (CFTC) September 2016 System Safeguards Testing Requirements regulations demand the creation of a "written plan documenting the derivatives clearing organization's policies, controls, procedures, and resources for identifying, responding to, mitigating, and recovering from security incidents, and the roles and responsibilities of its management, staff, and independent contractors in responding to security incidents." Other bodies, including the Federal Trade Commission, the National Institute of Standards and Technology and the Financial Industry Regulatory Authority (FINRA) have also underscored the importance of IRPs as part of a greater cybersecurity effort.

Cybersecurity is firmly within regulators' sights, and they have communicated to their regulated industries that IRPs are an important part of their expectations.

What Should Your IRP Include?

Although IRPs will vary depending on each firm's specific structure, risks and other factors, there are common general elements that should be incorporated. The NYDFS regulations provide an effective overview of what should be included. The regulations state an IRP should outline:

  • The internal processes for responding to a cybersecurity event.
  • Goals of the IRP.
  • Definition of clear roles, responsibilities and levels of decision-making authority.
  • External and internal communications and information sharing.
  • Documentation and reporting of cybersecurity events and related incident response activities.
  • Evaluation and revision, as necessary, of the IRP following a cyber event.

Identifying and halting the source of a breach is the primary priority, and these procedures and roles must be established prior to a breach to ensure a firm can react promptly and efficiently in order to minimize the damage incurred and return to normal operations as quickly as possible. To that end, an IRP should include communications and information-sharing processes, both within an organization, to improve reaction, and externally. The role of internal and/or external legal counsel in the IRP should be well delineated and defined. Depending on the nature of the breach and type of business affected, various government, law enforcement and regulatory bodies may need to be informed – such as the SEC, NYDFS, FBI, IRS and state attorneys general, or even the Department of Homeland Security. If clients' or consumers' data has been affected, a company would also be required to notify those clients or consumers of the breach. A company must also be prepared with a coordinated marketing and communications effort to mitigate any potentially negative publicity resulting from a cyberattack and have at least a general understanding of what their breach notification obligations would be – to regulators, law enforcement, and affected individuals such as clients or customers.

Finally, an IRP should detail steps taken immediately following a breach to ensure the same vulnerability cannot be exploited again. This should include identifying the requirements for remediation of any identified weaknesses in their systems and associated controls, as well as the evaluation and revision, if necessary, of the IRP itself in order to improve any shortcomings or failures that emerged during the incident. Overall, firms must demonstrate they are reacting with the appropriate level of seriousness.

Practice, Practice, Practice

Once the IRP is established, it cannot simply sit on the shelf until needed; the plan must become a functional aspect of a firm's ongoing operations. In addition to continuously evaluating emerging threats and vulnerabilities to adjust the IRP as required, a firm must not underestimate the importance of practicing or simulating a breach scenario in order to test the effectiveness of the IRP. Such run-throughs provide the opportunity to test the procedures laid out in the plan, and also give employees important training and experience in handling their responsibilities and operating within the prescribed chain of command. It also allows a firm to identify any weaknesses within its plan that can then be corrected – before a real cyber event takes place.

Rehearsing IRPs is more than merely best practice – some regulators expect it as an ongoing part of cybersecurity efforts. In its 2015 cybersecurity guidance, the SEC suggested that "routine testing of strategies could also enhance the effectiveness of any strategy." The SEC has also indicated it would examine a firms for information regarding its "process for conducting tests or exercises of its incident response plan, including the frequency of, and reports from, such testing and any responsive remediation efforts taken, if applicable." Meanwhile, FINRA suggests "involvement in industrywide, and firm-specific simulation exercises" may be an appropriate element of a firm's plan, as appropriate to the role and scale of a firm's business.

Cybersecurity has become an ever-present concern for businesses. Understandably, the focus has often been on prevention. However, even with the best planning, not every cyber event can be avoided, and a thorough, up-to-date and well-practiced IRP is an essential component of any cybersecurity plan.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.