There is no question that when an incident occurs, there are a lot of people who may need to be notified, especially if you work for a financial institution. Who do you contact and when should you contact them? In this article, we will answer these questions, as we talk about incident response plan communication guidelines.
A Quick Word of Caution
Sharing information about an incident can improve collaboration, knowledge, and awareness of security challenges facing your organization. However, it can also expose the organization to security, reputation, and even liability issues, if not managed properly.
To prevent unauthorized disclosure of proprietary organization or customer data, any information sharing should comply with privacy laws and regulations. If proprietary information needs to be shared, work with your public relations, compliance, and legal advisors to make sure the appropriate precautions are in place and everything is adequately documented.
Following is a list of parties to include in your incident response plan communication guidelines. The list is organized into three sections:
- Required Notifications
- Internal Notifications
- Third-Party Notifications
If you are a financial institution, the Interagency Guidelines Establishing Information Security Standards require you to notify:
- Customers / Members when an incident results in the unauthorized access and misuse of their personal information. To take your plan to the next level, your communication plan should define authorized communication channels (e.g., email, media press conference, physical letter, SMS / text message, social media, webpages, etc.) and include notification templates.
- Law Enforcement when an incident involves criminal activity and/or may result in legal proceedings. Examples of law enforcement to consider include the Federal Bureau of Investigation (FBI), U.S. Secret Service, Department of Homeland Security (DHS), state law enforcement, local law enforcement, the district attorney's office, etc.
- Regulators when an incident involves a breach of data. In addition, a proposed rule recommends notifying regulators of any incidents which cause operational disruptions.
- Financial Crimes Enforcement Network (FinCEN), via Suspicious Activity Report (SAR), when an incident meets the following minimum requirements.
- Insider abuse of any amount;
- Violations aggregating $5,000 or more where a suspect can be identified;
- Violations aggregating $25,000 or more regardless of potential suspects; or
- A transaction conducted or attempted by, at, or through the organization, which involves or aggregates at least $5,000 in funds or other assets, and the organization has reason to believe the transaction:
- May involve money laundering or other illegal activity;
- Is designed to evade the Bank Security Act (BSA) or its regulations; or
- Has no apparent business or legal purpose, is not the type of transaction the customer would normally engage in, and the organization has no reasonable explanation for the transaction.
While your incident response team will be largely responsible for handling an incident, you should plan to notify affected departments or staff with required expertise, such as:
- BSA/AML and Fraud Prevention Staff when an incident involves criminal activity.
- Business Continuity Staff when an incident could cause a business disruption (e.g., denial-of-service attack, natural event, system failure, etc.).
- Compliance and Legal Staff when an incident involves a data breach, operational disruption, or criminal activity.
- IT Operations and Cybersecurity Staff when an incident involves technology and/or cyber-events (e.g., malicious code, system failures, etc.).
- Vendor Management Staff when an incident involves a third-party service provider.
- Senior Management and the Board of Directors when an incident could cause significant operational, financial, reputation, and/or strategic impact.
When applicable, you should also plan to notify:
- Information Sharing Agencies when data learned from incident analysis could be beneficial for others who may be affected by a similar incident. Examples of information sharing agencies to consider include the Anti-Phishing Working Group (APWG), Cybersecurity and Infrastructure Security Agency (CISA), Information Sharing and Analysis Centers (ISACs), Forum of Incident Response and Security Teams (FIRST), and other incident response teams.
- Insurance Agencies when the organization plans to file a claim on the organization's insurance or cyber insurance policy.
- Internet Service Providers when assistance may be necessary to block a network-based attack or trace an attack's origin.
- National Automated Clearing House Association (NACHA) when an incident involves a breach of consumer-level automated clearing house (ACH) data. See the NACHA website for instructions and reporting forms:
- Nationwide Consumer Reporting Agencies (i.e., Equifax, Experian, and TransUnion) when a large number of customers will be contacted about an incident, and the notification recommends customers contact a consumer reporting agency.
- Office of Cybersecurity and Critical Infrastructure Protection (OCCIP) when a ransomware incident involves a U.S. financial institution or could cause a significant disruption in the ability to provide financial services, per an advisory from the Department of the Treasury.
- Office of Foreign Assets Control (OFAC) when a ransomware incident involves payment to a recipient who may be associated with a sanctioned entity, per an advisory from the Department of the Treasury.
- Payment Providers (e.g., the Federal Reserve, correspondent banks, etc.) when an incident involves fraudulent transactions. Payment providers should be notified immediately in an attempt to reverse suspected transactions.
- Receiving Institutions when an incident involves fraudulent transactions. Receiving institutions should be notified immediately in an attempt to reverse suspected transactions. While payment providers can often notify receiving institutions on behalf of the organization, the organization must notify receiving institutions if this is not a service provided by their payment providers; if the organization settles its own payments; or if the transaction involves ACH payments.
- Vendors when an incident originates from or may impact a vendor's services.
In preparation for an incident, members of your organization's incident response team should:
- Create a specific notification checklist. This article provides a general list to help get you started and is not intended to be comprehensive. There may be entities on this list who you do not need to notify, while there may be others you should include in your program. Work with your compliance team to ensure you are planning to notify the appropriate parties during an incident.
- Verify how incidents should be reported. Everyone has a different way information should be reported. Some have online forms. Some ask for emails or phone calls. Some leave it up to you. As part of your incident response plan, know how you plan to communicate and what information will be expected of you for each party.
- Document contact information in the incident response plan. You do not want to be searching the internet for a working phone number in the middle of an incident. Having contact information readily documented in your plan will improve your response processes.
To help you track which parties you contact during an incident, download our Incident Tracking Form. If you are ready to take your program to the next level, check out Tandem Incident Management. Tandem is ready to help you build an effective incident response plan with template communication guidelines, a place to store third party contact information, and sample customer notices.