Incident Response Plan (IRP), Cyber Insurance, Identifying Partners

How to Build your Incident Response Plan

1. Standards-based - SANS or NIST

2. Defined Incident Response Team

3. Assign tasks and responsibilities to specific roles

4. Assign someone to log the incident

5. Contact information for key staff, third parties, and law enforcement

6. Define how you will communicate ahead of time. Conference bridges, out-of-band communication

7. Quick action response steps for Ransomware, Malware infection, Third-party breaches, etc.

8. Test the plan at least annually

9. Make sure everyone on the Incident Response Team is familiar

10. Revise as necessary to match the current environment

An incident response plan is vital to an efficient neutralization of a threat. If you don’t know in advance how you will respond, then you aren’t going to have a very effective response. Therefore, when creating your Incident Response plan, make sure it is based on standards, such as SANS or NIST, and clearly defined incident response team members with assigned tasks and responsibilities. The goal is to avoid ambiguity of duties. When an attack occurs, the more clearly outlined the tasks are, the more likely they will be completed quickly.

An incident response plan is crucial to resolving an incident, but lessons are always learned. Have someone assigned to recording the steps and actions completed during an incident to pinpoint and identify areas that the company executed well and areas that can be improved and make adjustments for the future.

An incident response plan aims to have all the information and steps your credit union needs to follow to respond to the threat quickly. Ensuring that contact information for key staff, third parties, and law enforcement is in this plan will avoid wasting valuable time searching for this information elsewhere during an incident.

If someone has gained access to your environment and gotten into your email system, they may know your action plan. It is vital to stop using that form of communication to avoid giving them access to new information. Your Incident Response plan should include other forms of communication, such as a conference bridge and out-of-band communications.

For each of the following, quick action response steps should be noted in your incident response plan: ransomware, malware infections, third-party breaches, etc. Quick, decisive actions can mean the difference between a bad day and a bad couple of weeks for threats like these.

Testing your plan annually ensures that everyone on the Incident Response Plan is familiar with their roles and responses and allows updates for anything that has changed since the last time it was tested.

Verifying your Cyber Insurance

This is a must-have for a credit union! Ransomware attacks are only increasing, and they can be costly for your organization. When picking or reviewing your cyber insurance, the following is what you should be on the lookout for:

1.Does it include breach response?

• In other words, will they assist you when there is a breach?

2.Do you have ransomware coverage?

• BE CAREFUL: Not all plans cover ransomware. As the risk grows, you will want to be sure your insurance covers this.

3.Requirements are changing. Do you meet your carrier’s minimum requirements?

• Many carriers are changing and increasing their requirements. If you do not meet all their provisions, you may not be able to get ransomware coverage. Therefore, we recommend you reach out in ADVANCE to see if you qualify BEFORE an attack happens.

4.Know how to engage them ahead of time

• Set up a call with your insurance company to learn what you should do initially, how/if they will help you respond, and ensure that you meet their requirements for full coverage.

A note from our cybersecurity experts:

Breaches: Many insurance companies are adding additional caveats for technology attacks due to incidents such as the “solar winds attack.” Be sure to pay attention to your infrastructure and make sure your provider covers this. If you have an arrangement with an incident response support provider, make sure that this provider is also covered and approved by your cyber insurance.

Identifying your Partners

Before your select, someone, verify that your insurance carrier will approve them.

1. Breach attorney

   • They are key in coordinating your response and minimizing your legal exposure.

2. Breach response

   • Be sure you have someone trained in response and forensics and that your insurance carrier approves them.

3. Forensics

A note from our cybersecurity experts:

The term “Breach” has a specific legal meaning but is often used more generically throughout the industry about any incident. We advise caution about using this term, especially when communicating externally, as not all incidents are breaches. It usually means a compromise of data and requires a breach attorney to be present. You do not want to be communicating “breach” to your customers when it is a security incident instead.

Cybersecurity is not just a want; it is a need in today’s online environment. It is no longer a matter of “if” you get attacked, but “when”. So don’t wait until it is too late. Instead, start assessing, planning, and testing your incident response plan, so that you are ready to prepare and help prevent your Credit Union from succumbing to a cyberattack.

Additional Resources:

This blog is an excerpt from our recent webinar, Preventing, and Preparing for Cyberattacks, watch the full webinar here: https://attendee.gotowebinar.com/recording/5721370744244067330

For managed patching solutions click here

To learn how we can help assess your credit union security preparedness click here

Need help with your disaster recovery plan click here