Cyber & IT Supervisory Forum - November 2023

a game and makes necessary adjustments (however minor) to their game plan, a similar ac Ɵ on should be taken when an organiza Ɵ on experiences an incident requiring ac Ɵ va Ɵ on of the plan. An a Ō er ‐ incident review might reveal several aspects of the plan that require adjustment, including: a. Technical response weaknesses (issues with speci fi c incident response playbooks, which are par Ɵ cularly important for IT teams to review) b. Weaknesses in any dependent vendor rela Ɵ onships (were there any vendors that failed to meet expecta Ɵ ons or contractual responsibili Ɵ es during the response?) c. Weaknesses within internal teams or individuals responsible for remedia Ɵ on e ff orts (do our call trees contain current, accurate informa Ɵ on? Were there any gaps in communica Ɵ on between teams, to senior management and the Board, and to external par Ɵ es?) d. Weaknesses in actual technical or administra Ɵ ve controls that became visible during the event (I.e., weaknesses in employee cyber hygiene or governing policies that might suggest a policy review or addi Ɵ onal training is necessary, failure of a technical control that contributed to the event, etc.) Any lessons learned exercise that follows a cyber event of any type should be su ffi ciently documented and reviewed by appropriate par Ɵ es within the ins Ɵ tu Ɵ on. And just like ac Ɵ onable items from non ‐ event tes Ɵ ng of the plan, gap remedia Ɵ on e ff orts should be appropriately tracked to ensure that gaps needing remedia Ɵ on do not “fall through the cracks.” And speaking of tes Ɵ ng, it is important that the incident response plan be tested at least annually or even on a more frequent cadence, if necessary. Tes Ɵ ng of the plan at least annually represents an industry best prac Ɵ ce. The incident response plan is a living document and should also be updated throughout the year when there are changes in sta ff , vendors, changes in organiza Ɵ onal business units, or the introduc Ɵ on of new technologies within the organiza Ɵ on. As we’ve seen in today’s exercise, there are many, many aspects and considera Ɵ ons that should be covered by the plan. The last thing the organiza Ɵ on will want is for that plan to be outdated, disorganized, or not re fl ec Ɵ ve of the actual workings of the business. And discovering weaknesses in the plan while it’s being implemented can be detrimental to the organiza Ɵ on and can contribute to fi nancial and reputa Ɵ on loss for the organiza Ɵ on, as well as legal and regulatory concerns. END OF PRIMARY EXERCISE ______________________________________________________________________________

21