Cyber & IT Supervisory Forum - November 2023

be able to provide examiners with an a Ō er ‐ incident report documen Ɵ ng what went right and what went wrong. Following an incident, management should prepare their own assessment of how well things went (i.e., call trees worked; communica Ɵ ons and no Ɵ fi ca Ɵ ons to regulators and customers were e ffi cient and made in accordance with regulatory requirements; controls to iden Ɵ fy, alert, and contain the incident were e ff ec Ɵ ve; threat intelligence was received and was useful to prepare for the incident; etc.). Management should also have some sort of e ff ec Ɵ ve, documented mechanism to track any gaps iden Ɵ fi ed during the incident and should ensure that any iden Ɵ fi ed weaknesses in the IR Plan or any technical controls are promptly remediated in a reasonable Ɵ meframe commensurate with the di ffi culty implemen Ɵ ng the remedia Ɵ ons (for example, a necessary change in, say, a call tree shouldn’t take three months to complete). Such changes are needed to ensure that the IR Plan remains dynamic and well ‐ suited to react to future incidents. Notably, requirements for a Ō er ‐ incident repor Ɵ ng should be documented in the IR Plan as support for regular, scheduled tes Ɵ ng of the IR Plan as well. In addi Ɵ on, scheduled tes Ɵ ng of the IR Plan should be performed at a frequency appropriate for the size, complexity, and business ac Ɵ vi Ɵ es of the en Ɵ ty (at least annually is a recognized industry best prac Ɵ ce). As we have seen, the IR Plan is dynamic, and it is important that the plan is updated in response to things such as rou Ɵ ne changes in sta ff , vendors, and changes in business units ‐ and not just in response to an actual incident. Rou Ɵ ne tes Ɵ ng outside of an event is necessary to inform changes in the Plan Tes Ɵ ng requirements should be documented in the IR Plan. b. Review of the Incident Response Plan: The Incident Response Plan (IR Plan) is the document that provides the en Ɵ ty with a playbook for responding to an incident. The desirable components of an IR Plan were generally addressed in the primary exercise, but the key takeaway here is that the IR Plan should be wri Ʃ en and structured to a ff ord the en Ɵ ty the very best chance to work through an event in an organized and e ffi cient manner. And for en ƟƟ es subject to wri Ʃ en IR Plan exemp Ɵ on under the Safeguards Rule, you should be able to determine, through discussions with management, that the company is su ffi ciently prepared to respond to an incident to protect the interests of the company and its customers. c. Technical Safeguards and Security Measures: There are a number of technical controls that are o Ō en u Ɵ lized by en ƟƟ es of all sizes to monitor networks and systems for suspicious ac Ɵ vi Ɵ es. When examining an en Ɵ ty following a security event, you will want to discuss with management how well those systems worked and whether any changes are necessary going forward. Did systems perform as expected? What systems informed management of an issue? Were those alerts and no Ɵ fi ca Ɵ ons Ɵ mely? Are there any addi Ɵ onal controls that might have accelerated awareness of the security event? What

23