Cyber & IT Supervisory Forum - November 2023

examiner, the important thing to consider is whether the organiza Ɵ on is su ffi ciently prepared to do so if necessary.

3.) What customer and regulatory repor Ɵ ng requirements must be considered in this situa Ɵ on? What other par Ɵ es should be no Ɵ fi ed? As we men Ɵ oned in previous ques Ɵ ons, customer and regulatory repor Ɵ ng requirements do vary from state to state. All incident response plans should consider these requirements. In addi Ɵ on to the customer no Ɵ fi ca Ɵ on requirements in the states, it will also be important to establish e ffi cient communica Ɵ ons channels to handle ongoing inquiries from a ff ected customers. This can be overwhelming for the en Ɵ ty, par Ɵ cularly when a large number of customers are a ff ected. Resources to assist en ƟƟ es with customer no Ɵ fi ca Ɵ on and communica Ɵ ons (i.e., dedicated call centers) are o Ō en provided as a bene fi t of cybersecurity insurance policies via breach coach services. Regardless, this is a considera Ɵ on that must be examined to avoid overloading the en Ɵ ty and crea Ɵ ng addi Ɵ onal dissa Ɵ sfac Ɵ on among customers. We have also noted the importance of involving federal law enforcement agencies in the response to a signi fi cant cyber incident. Agencies such as the FBI and the US Secret Service can o Ō en provide unique assistance to the a ff ected en Ɵ ty. However, to obtain the maximum bene fi t from rela Ɵ onships with these agencies, it is cri Ɵ cal that they be brought into the response process early. These agencies possess subpoena powers to obtain logs and other informa Ɵ on that may not be provided directly to the en Ɵ ty itself (par Ɵ cularly when that informa Ɵ on is being requested, for example, from a vendor or a service provider); they o Ō en possess detailed or unique knowledge of threat actor behaviors, a Ʃ ack pa Ʃ erns, and indicators of compromise; and they may be able to assist in obtaining decryp Ɵ on keys for ransomware events. In addi Ɵ on, these agencies may be able to assist in stopping the transfer of money from the organiza Ɵ on to the threat actor. But again, the key here is early interven Ɵ on and involvement. En ƟƟ es are encouraged to establish rela Ɵ onships with local or regional federal law enforcement o ffi ces before an event occurs to facilitate familiarity and faster response. INJECT 4 : Monday, 9:00 am, Monday, June 13: Company opera Ɵ ons have now largely returned to normal, although some behind ‐ the ‐ scenes IT sta ff work con Ɵ nues to bu Ʃ on up systems and the company’s network. 1.) How might the organiza Ɵ on address lessons learned during the event to help prevent the incident from reoccurring and to make response processes more e ff ec Ɵ ve if another incident occurs? A real ‐ world incident that occurs within an organiza Ɵ on provides an unparalleled opportunity to take a retrospec Ɵ ve look at the incident response plan. Tabletop scenarios and other exercises simply cannot compare to the experience of actually deploying the plan in response to a live event. But much like a sports team reviews game fi lm following RETURN TO OPERATIONS AND LESSONS LEARNED:

20