October 2018 - Having a response plan to deal with a crisis can help mitigate damaging outcomes and speed recovery. Incident response plans can cover a range of events, but for today’s financial services companies, cybersecurity is often a primary focus of an incident response plan as bank data and customer financial data are frequent targets of hackers.
Creating a plan that you can rely on in crisis mode is important. For smaller community financial institutions, developing an incident response plan when time and resources are limited may seem like a daunting task, but it does not have to be. The most important consideration to remember is that any response or action that you can determine in advance will likely be better than what you come up with in the heat of a crisis.
The first step is simply to acknowledge that you need a plan. Cybersecurity threats present serious risks for financial institutions both large and small, and these threats evolve continuously. Begin developing your plan wherever you are, based on your current business scenarios and available resources, one step at a time. You may soon end up with a robust response plan, but any part of a plan that you can complete is a step in the right direction. An easy kickoff would be to add 90 minutes to your next staff meeting to begin to identify members of your response team and the likely scenarios your institution may face.
As you are building the team that will create and execute the response plan, it’s important to think outside of the box on what types of decisions will have to be made during a crisis. There are legal decisions, confidentiality considerations, technology issues, and communications needs during and after a crisis event. Assemble the right combination of experts (including both internal and possible outsourcing partners) to address these areas. As your team is developing the plan, understand that you do not need to have everyone in the room every time the plan is being worked on. For example, your technology experts can start the plan, and then gather input and ideas from legal, human resources, communications, and others.
Developing individual components of the plan likewise does not have to be a daunting or complicated process. Many incident response plan templates and resources are available online that can serve as a starting point for your plan, such as the "Guide for Cybersecurity Event Recovery" by the National Institution of Standards and Technology. There are a few key areas that need to be addressed in any incident response plan.
- Define incident – What constitutes an incident that would trigger your response plan? Define the likely scenarios for your business.
- Establish procedures – Create your action item list for detecting an incident and escalating it within your organization. Identify key team members and their authority to lead various parts of the response.
- Define objectives – Business continuity and data recovery are the obvious objectives for your response plan, but try to be specific about a time table and milestones for the recovery process.
- Determine communications – Develop advance templates for what you will say to your staff, customers, and the media.
Once your response plan is documented, it is important to test it. Tabletop exercises are excellent ways to evaluate how your team will rely on the plan in a hypothetical crisis event. Again, design this exercise according to your resources. You may spend 45 minutes or half a day on the exercise, but any amount of testing and walking through the steps in sequence will help you perform better in an actual crisis. Following the test, repeat the exercise with the next tier of staff from your primary response team. It’s important for others to be familiar with the response plan and their roles because it is unlikely that all of your top leadership will be immediately available when an incident occurs.
Response plans are fluid and need to be reviewed and updated regularly. Cybersecurity threats, in particular, evolve quickly and continuously, so there is merit to returning to your response plan and assembling your team with some frequency. Repetition will strengthen these muscles and will also incorporate new thinking. Integrate incident response planning into your regular business planning processes and you will have an automatic mechanism for reviewing and updating your plan.
There is no magic to developing an incident response plan. Take the steps to get started based on your available resources and the context in which your business operates, with the recognition that any advance decision-making – otherwise known as planning -- will make you exponentially better prepared to respond to an actual crisis.