Safe Systems, a national provider of compliance-centric IT support and hosted services for financial institutions, today announced the launch of its Incident Response Plan Testing service, which has been designed to guide and support banks in the current cyber-threat environment.
“Vendor due diligence and on-going oversight are still very important, but because of the relative lack of control in an outsourced relationship, an effective incident response plan is the best, and perhaps only, defense”
All regulatory statements about cybersecurity have singled out the need for an effective incident response plan, and the FFIEC refers specifically to incident response testing as one of the primary takeaways from its recent webinar, encouraging all institutions to consider:
How often is my institution testing its plans to respond to a cyber-attack? Do these tests include our key internal and external stakeholders?
While vendor oversight does provide some measure of assurance in outsourced relationships, banks have very little actual control over specific vendor-based preventive controls. Additionally, regulators make no distinction between a financial institution’s responsibilities for data security within direct control, and data outside direct control of the institution. Essentially, when outsourcing, institutions have 100 percent of the responsibility and zero control. Detective and corrective/responsive controls must compensate for the lack of preventive controls in order to maintain compliance and reinforce security. An institution’s plan is only as good as it proves to be during testing.
There are three key areas of support that Safe Systems provides to its customers through this service:
1. Assures that the objectives of the test align completely with regulatory guidance and best practices.
2. Identifies the scenario of the incident being tested. Ideally it should be drawn from recent industry events, something the institution has actually experienced, or even derived from a recent social engineering test.
3. Fully documented and presented in a manner that can be delivered to the board, as well as auditors and examiners.
“Vendor due diligence and on-going oversight are still very important, but because of the relative lack of control in an outsourced relationship, an effective incident response plan is the best, and perhaps only, defense,” said Tom Hinkel, VP of Compliance Services of Safe Systems. “Just as with disaster recovery plans, incident response plans must be both compliant, and viable. They must pass regulatory scrutiny, and a bank’s incident response team must be able to follow it when an incident occurs. Knowing how to classify an incident, and understanding if and when customer and regulator notification is required, is critical to a plan’s effectiveness. Through the Incident Response Plan Testing service, an institution can rest assured that their plan will not only pass regulatory scrutiny, it will provide the framework an institution’s incident response team needs to confidently manage any cyber event.”