Incident Response Plans & Vendor Management: Lost in the Cybersecurity MixBrian Toevs
Jenny Roland-Vlach, CISM, Compliance Analyst – Jack Henry & Associates
If you find yourself in need of a stark reminder on how quickly time passes by, consider this: May 2018 marks three years since the FFIEC officially announced their focus on cybersecurity for financial institutions. In addition to periodic updates being provided by the FFIEC, there have been a multitude of articles on the topic of cybersecurity. While there has been an emphasis on areas such as C-Suite training and information sharing, I have noticed two items in particular that seem to be getting lost in the mix of cybersecurity discussions. Those items are Incident Response Plans (including testing plans) and critical vendor management. Let’s look at Incident Response Plans first.
Every financial institution has an Incident Response Plan in place, but what varies is how detailed the plan is and its efficacy. In order to properly respond, FIs first need to have a plan in place that can actually be followed. A high level, one to two page plan is not going to suffice. If this sounds similar to your own plan, pay close attention to the following.
Detail how you plan to respond in certain scenarios that can be classified by severity levels (from virtually no impact on your FI to immediate and severe consequences) and make sure that cyberattacks are included in the list of potential scenarios.
Your plan should also clearly indicate the members of your Incident Response Plan team and what their responsibilities are during an incident. Ensure that team members understand these responsibilities.
In November 2014, the FFIEC released two documents, one of which was the Cybersecurity Assessment General Observations. This document highlights essential questions that FIs and their Board of Directors need to consider. For Incident Response Plans, the FFIEC has stressed the importance of knowing how to respond internally and with customers, vendors, regulators, and law enforcement. Procedures for these items should also be addressed within your own plan.
Another critical component related to Incident Response Plans is testing. FIs not testing their plans certainly is not a new concern; in fact, this has been an ongoing issue. If your FI has never tested your plan, or it has been a significant amount of time since it was last tested, now is the time to make testing part of your routine.
Incident Response Plans should be tested at least annually and remember, testing is your opportunity to find out if your plan can actually be followed properly during an incident. Table top test scenarios can be as elaborate or as simple as you would like, but a cyberattack scenario is certainly recommended. If your FI experiences a cyberattack, knowing that your plan is well developed and has been tested will go a long way in making the response process easier.
Vendor management of critical vendors is the other topic that seems to be getting lost in the cybersecurity discussion. It would be a mistake to not consider how vendor management impacts cybersecurity. The cybersecurity controls that your critical vendors put into place and how well they manage those controls will inevitably impact your FI. If your vendors lack sufficient controls, a breach at one of their locations could put your corporate and customer non-public information at risk. This is why the FFIEC stressed appropriate vendor management in the Cybersecurity Assessment General Observations document. Specifically, they highlight the importance of considering the risks of vendors’ connections to your systems and evaluating the controls that they have in place on their end.
In February 2015, the FFIEC released Appendix J: Strengthening the Resilience of Outsourced Technology Services. Initially, it appears that this new guidance is focused entirely on Business Continuity Planning, however, it is full of valuable vendor management information. The guidance focuses on a number of items for your FI to consider and how they are essential to critical vendors’ (and ultimately your FI’s) cyber resilience. These items include:
- Evaluation and selection of vendors
- Initial and ongoing due diligence
- Management of multiple vendors
- Contingency planning
- Cyber resiliency efforts
By having and maintaining an effective Vendor Management Program, your FI will find itself in a better position to address cybersecurity on all fronts. The Superintendent of Financial Services for the State of New York, Benjamin Lawsky, summed up this idea quite well with his statement in a Press Release, “A bank’s cybersecurity is often only as good as the cybersecurity of its vendors.”
As your financial institution is working to improve on its strategic plan for addressing cybersecurity, it is important to remember all the components that make for an effective plan. Incident Response Plans and vendor management are easily overlooked when tackling a topic such as cybersecurity, but both will greatly impact your efforts. Devoting the necessary time to update your Incident Response Plan (and ensure testing) and appropriate management of critical vendors, will strengthen your own cybersecurity controls and make you better prepared to prevent and respond to any potential cyberattacks. While these two elements may not be at the forefront of the discussion on cybersecurity, Incident Response Plans and Vendor Management Programs will prove to be just as crucial at the end of the day.
Jenny Roland-Vlach is a Compliance Analyst, Advanced for Jack Henry & Associates’ Gladiator IT Regulatory Compliance group. In her current role, she is responsible for assisting financial institutions with developing and maintaining their IT and Information Security related policies and risk management efforts. She possesses 13 years’ experience of working both in and with community financial institutions and holds the CISM designation. Opinions expressed in this blog are solely the author’s and do not necessarily reflect those of Jack Henry & Associates, Inc.