By Ted Julian, security expert and CMO of Co3 Systems
Details known: Very few.
Initial steps: Stop the bleeding and assume the worst.
When a cyber incident is discovered, organizations often don’t have all the facts initially. This can pose a major challenge to those charged with incident response. Given this reality, what should be done first? Of course, organizations should already have a plan in place for dealing with potential security incidents. Having a plan and following it will help to calm the initial chaos. But what steps must be taken as part of that response plan? And what about banks unique breach response requirements like those required by regulators and the risk of financial harm both to customers and the bank itself?
To answer these questions, we simulated a cyber breach using the Co3 platform. We modeled a worst-case system intrusion in order to highlight potential disclosure requirements as part of the broader response effort. We indicated that the breach included the compromise of unencrypted, personally identifiable information (financial information, to be exact), thereby creating foreseeable harm to bank customers.
Specifically, our simulated breach parameters included:
- Incident type: System Intrusion
- Personally Identifiable Information involved: Yes
- Harm foreseeable: Yes
- Data encrypted: No
- Data types involved: first and last names, addresses, phone numbers, email addresses, financial account numbers, and passwords
- Number of records involved: 100,000
The resulting response plan includes 37 tasks broken into the following categories:
- Engage Phase: 5 tasks
- Detect/Analyze Phase: 13 tasks
- Respond Phase: 8 tasks
- Data Breach – Authority Notifications: 3 tasks
- Data Breach – Individual Notifications: 1 task
- Data Breach – General: 1 task
- Post-Incident Phase: 6 tasks
IT-related, “stop the bleeding” tasks include items like collecting system data, analyzing intruded systems and network traffic, and creating backups of affected systems. In addition, known vulnerabilities should be evaluated and any other intelligence that may be available should be consulted.
From a breach notification point of view, the risk of harm is a key factor. According to guidance issued by the Information Commissioner’s Office (ICO), organizations that experience a data breach must look at the potential harm to those involved when deciding whether or not to disclose the breach to consumers or regulators. The ICO provides a list of details to consider when making such an assessment. Some things to consider are what type of data is involved and how sensitive is it? Are there protections in place, such as encryption? What harm can come to those individuals? Are there risks to physical safety or reputation, of financial loss or a combination of these and other aspects of their life?
Financial institutions in the UK have an additional step when it comes to data breaches. According to the Financial Services Handbook, banks and other financial firms must notify either the Prudential Regulatory Authority or the Financial Conduct Authority, as appropriate, as soon as it becomes aware of “any matter which could affect the firm’s ability to continue to provide adequate services to its customers and which could result in serious detriment to a customer of the firm”. Clearly, a system intrusion at a financial institution that results in unauthorized access to or acquisition of personal data falls under that category. When notifying the regulator, the notice should contain information and circumstances about the breach, as well as any steps that the firm has taken or intends to take to rectify or remedy the breach or prevent any future potential occurrence.
As you can see from this exercise, cyber attack incident response spans not only a range of IT systems and processes, but also – and this is crucial for banks – a multitude of regulatory requirements, potentially including privacy breach disclosure. As such, effective incident response must span all of these functions and include representation from across the organization: IT, legal, compliance, privacy, marketing, HR, and so on. The only way to ensure the effectiveness of such a far ranging exercise is through practice.