What Does Your Company's Cyber Incident Action Plan Look Like?


Regulators, industry associations, and law enforcement are taking steps to publish principles and measures to consider in connection with cybersecurity preparedness and response.
As your company gears up to assess existing practices and to set the course for what is next, following are highlights of some of the measures and principles suggested by the US Department of Justice's Computer Crime and Intellectual Property Section- Criminal Division and the SEC's Division of Investment Management
DOJ's Response and Reporting Measures
The US Department of Justice's recently issued document titled "Best Practices for Victim Response and Reporting of Cyber Incidents" includes a Cyber Incident Preparedness Checklist that suggests a number of steps to consider before, during, and after a cyber attack or intrusion.
Below are summary highlights from DOJ's checklist; DOJ's document can be accessed here.
  • Identify "crown jewels" and institute tiered security measures
  • Review and adopt risk management practices found in guidance (such as the NIST Cybersecurity Framework)
  • Create an actionable incident response plan (test and update)
  • Have technology to address an incident (or ensure it is easily obtainable)
  • Have procedures that permit lawful network monitoring
  • Have legal counsel familiar with cyber incident legal issues
  • Align incident response plan with other policies (including HR, etc.)
  • Develop proactive relationships (with law enforcement, outside counsel, PR firms, investigative and cybersecurity firms)
  • Make an initial assessment of the scope/nature of the incident (particularly whether malicious or a technological glitch)
  • Minimize continuing damage, consistent with cyber incident response plan
  • Collect and preserve data related to the incident (image the network; keep logs, notes and other records; keep records of ongoing attacks)
  • Notify (consistent with incident response plan): appropriate management and personnel; law enforcement; other possible victims, Department of Homeland Security
  • Do not use compromised systems to communicate
  • Do not "hack back" or intrude upon another network
  • Continue monitoring the network for anomalous activity
  • Conduct a post-incident review

SEC's Guidance for Funds and Advisors
The SEC's Division of Investment Management's Cybersecurity Guidance identifies a number of measures that registered investment companies ("funds") and "registered investment advisers ("advisers") "may wish to consider when addressing cyber risks."  The guidance also notes that the SEC staff recognizes that "it is not possible for a fund or adviser to anticipate and prevent every cyber attack."
The Guidance notes that funds and advisers may wish to review their operations and compliance programs to assess whether they have measures in place designed to mitigate cybersecurity risks, that operations may be varied, and describes tailoring compliance programs accordingly.  The Guidance also notes that they may wish to consider assessing whether protective measures are in place at relevant service providers.
Below are summary highlights of some additional considerations from the SEC's guidance document; the SEC Guidance can be accessed here.
Conduct a Periodic Assessment
  • Nature, sensitivity and location of information collected, processed and stored- and the technology systems
  • Internal and external cybersecurity threats to/vulnerabilities of information and technology systems
  • Security controls and processes (current)
  • Impact should the information or technology be compromised
  • Effectiveness of governance structure for managing cybersecurity risk
Create a Strategy Designed to Prevent, Detect and Respond to Cybersecurity Threats
Strategy could include:
  • Controlling access to systems
  • Data encryption
  • Protecting against loss or exfiltration of sensitive data by: restricting use of removable storage media and deploying software that monitors technology systems
  • Data backup and retrieval
  • Deployment of an incident response plan
  • (Guidance notes routine testing could also enhance strategy effectiveness
Implement Strategy
  • Policies and procedures
  • Training
  • Monitor compliance with cybersecurity policies and procedures
  • (Guidance notes firms may also wish to educate investors on how to reduce exposure to cybersecurity threats concerning their accounts)