Why is a Well Developed Incident Response Program Important to Your Bank?

Stephen Lilly
First Community Bancshares, Inc
Member of the WVBankers Operations & IT Committee

 Your bank's ability to appropriately respond to cyber-security incidents in a well-coordinated way is critical to preserving stability of your bank’s operations and maintaining customer confidence. With the numerous cyber-security threats and techniques looming today, all banks need to be well prepared for various cyber-security scenarios.  A well planned Incident Response Program (IRP) is a must for financial institutions of all sizes and operating models.   Your board of directors and management team must ensure that an effective IRP is in in place to satisfy regulatory requirements and to protect customer data regardless of whether systems are operated in-house or if they are outsourced to a third party.      

The best information security programs cannot fully protect your bank’s systems and data from every vulnerability or completely protect against every type of technological threat.  Taking that into consideration, banks are best served by incorporating a formal IRP to complement vulnerability management programs and business resumption plans.  Bank boards and management teams should think comprehensively about how vulnerability management, business resumption planning, and IRP’s interrelate as they develop information security and business resumption policies and procedures.

Minimum required IRP procedures according to the FDIC’s April 2005 interpretive guidance is categorized into two broad categories: "reaction" and "notification." Reaction procedures are the steps taken once a compromise, breach, or system interruption has been experienced. Notification procedures involve communicating the aspects of the event or incident to management and other interested parties within the bank, and they may also incorporate reporting requirements to regulators, law enforcement, and customers.

IRP reaction procedures must include assessing cyber-security events and determining whether unauthorized access to or misuse of customer information has occurred.  This process must also include a documented assessment for determining the severity and other implications of any cyber-security event. The focus of this assessment is to determine the circumstances and ramifications surrounding a cyber-security event, identify whether customer or other confidential information has been compromised, and whether critical operating systems have been negatively impacted.

These reaction procedures must also address containment and control of the security incident, which involves preventing any further access to or misuse of customer information or critical systems. Due to the number and variety of threats to customer information and systems, financial institutions must plan for scenarios that are more likely to happen, and develop response and containment procedures for those circumstances that have the greatest potential for damage.  A well devised information security risk assessment can be useful in identifying these potential threats, and the development of procedures to mitigate risks and associated impacts. While every incident scenario cannot be anticipated, IRP reaction and containment procedures need to account for those incidents that are most likely to occur.

Development of notification procedures are just as significant as reaction procedures in the development of your bank’s IRP.  As soon as your bank discovers any data compromises, unauthorized system accesses, misuses of sensitive customer information, or disruption of critical systems your primary regulator and law enforcement need to be immediately contacted. Steps must be set out in your IRP for notifying your regulatory agency and law enforcement.  These notification procedures can be beneficial in determining the scope and potential of the incident, so be sure to incorporate specific notification procedures and responsibilities within your bank’s IRP.

In conjunction with notifying law enforcement agencies, Suspicious Activity Reports (SARs) will need to be prepared and filed in accordance with your primary federal regulator's requirements.  Law enforcement agencies may be an additional resource in handling and documenting the incident, so leverage your law enforcement contacts when faced with an incident situation. The SAR form itself can also serve as a resource in the incident reporting process, as it contains specific instructions and thresholds for when to file a report. The SAR instructions also clarify what constitutes a "computer intrusion" for filing purposes. Defining procedures for notifying law enforcement agencies and filing SARs can be very helpful in defining specific notification and reporting requirements expected by regulators.

Lastly, banks IRP’s must also address customer notification procedures. As your bank personnel become aware of an incident involving unauthorized access to sensitive customer information, an in-depth investigation must be conducted.  This investigation process should include methods to determine the potential for customer information to be compromised or extracted or for system disruptions to occur. Provided sensitive customer information has been compromised or that misuse of customer information is reasonably possible, the bank will be required to notify the affected customer(s) in a timely manner. Consultation with your bank’s legal counsel is highly recommended when customer notifications are being discussed and ultimately determined.  Developing standardized procedures for notifying customers will assist in making timely and thorough notification as well as mitigating potential reputational risks.

Your management team should review Incident Response policy and procedure to ensure the elements above are addressed. Keep in mind, these guidelines are merely the bare minimum requirements expected in policy and the IRP.  The main goal of any IRP is to minimize damage to the bank and its customers. IRP must have defined policies and procedures to adequately respond to identified incidents. More specifically, the IRP should include steps for, containing the incidents, coordinating with law enforcement and other third parties (e.g. insurance carriers), restoring systems, preserving data and evidence, providing assistance to customers, and providing operational resilience.  If your bank’s board of directors and management team have not reviewed and reconciled your IRP with current regulatory guidelines, it would be a good idea to do so as soon as possible.  Cyber threats are pervasive and can strike at any time, so it is a good investment of effort to make sure your bank is prepared.  An excellent reference for IRP guidance and requirements is the FFIEC IT Examination Handbook at the link below:

https://ithandbook.ffiec.gov/it-booklets/information-security/iii-security-operations/iiid-incident-response.aspx.

 

Tags: General