Financial institutions most often suffer the greatest consequences of a security breach because, as the infamous bank robber Willie Sutton once said, “…that’s where the money is.” While there isn’t much that financial institutions can do to stop cyber criminals from attempting to steal sensitive data or financial assets, the way they respond to those attacks is coming under increased scrutiny from customers and regulators alike because of the increasing stakes on the table.
In fact, examiners at the Federal Deposit Insurance Corp. (FDIC) have identified a minimum set of requirements for incident response, covering everything from how breaches are identified and contained to how regulators and customers need to be informed once the breach is identified.
However, to their detriment, many financial services organizations still wind up making up their critical incident response as they go along. This not only wastes time, it also often leaves the impression that the organization was either not prepared or didn’t even have the proper security controls in place.
Have an Incident Response Plan
Regardless of the size of the financial services organization, regulators are making it clear that they now routinely view IT security within the broader context of risk management standards. As such, they are holding financial services organizations accountable, not just for measures to prevent breaches, but also for the effectiveness of their incident response. The assumption is that, while there is no such thing as perfect security, a financial institution should be able to respond the instant a breach is discovered. They must also be equipped with the critical context needed for rapid resolution and effective emergency communication across different departments.
For that reason, it’s crucial that financial services organizations have an incident and communications response plan that spans everything from the way the IT department resolves an issue, to the way the finance and legal teams quickly engage regulators, and whenever necessary, customers and the broader market. Executing consistently on such a plan to mitigate costs to the business requires a well-defined framework that covers all bases in keeping critical stakeholders engaged whenever a breach occurs. Having such a system not only makes certain that no step gets overlooked when missing a single step can have significant financial or legal ramifications, it also gives customers and shareholders confidence that the financial organization and their assets remain sound.
To that end, an incident response framework should be the mechanism through which every facet of the organization gets shared visibility into a consistent set of processes designed to mitigate the impact of a breach on the organization and its customers. For example, everyone within the IT organization must understand protocols around assessing incident impact, quickly mobilizing the right subject matter experts, deploying basic troubleshooting and remediation steps, and more. Additionally, stakeholders in the organization should not only be able to see exactly who in IT is working on the problem, and how long it will take to fix, but also understand in real-time what language they must use to inform customers.
Best practices such as these don’t come about of their own accord. Senior business and IT leaders need to set the tone. If organizations put the right processes in place (including regular training and practice), dealing with breaches and other forms of IT disruptions will become second nature. This is of absolute importance because the only thing worse than a costly breach — and the fastest way to lose customers’ trust — is when the customer discovers the breach from some other source, rather than the financial institution itself.
Of course, having to tell a customer that there is a problem with a service is one thing. Not being able to tell them precisely when that issue is going to be resolved is far worse, and more often than not, that customer may start to consider their other financial services options. To make sure as a financial services organization that your team has the right processes and workflows in place, check out our open-sourced incident response documentation as well as our Financial Services solutions brief.