Is Your Incident Response Plan Ready?

As community banks come to grips with the new environment of data breaches, ransomware and other cyberattacks, developing a strategy for responding to these types of incidents has become a requirement.

By Karen Epper Hoffman

Today, information security is less about if your organization will be breached, and more about when, as information security professionals find cybercriminals outpacing their own ability to prevent attacks.

Community banks, like businesses in all sectors, are dealing with the reality of an inevitable breach by developing incident response plans for the weeks, days or hours after a breach has been spotted.

“Incident response is critical to defend institutional assets and customer information,” says Jeff Julig, vice president and chief information security officer at financial services company SWBC in San Antonio, Texas. “When you have a dynamic and complex threat, it is prudent to prepare a plan against it,” just as a bank would have a plan in place for potential branch robberies.

Jason Malo, senior executive advisor at research and advisory firm CEB, now Gartner, believes all financial institutions need a response plan for incidents that affect them—both internal and external.

“Incident response is not just a technology role,” Malo says. “Customers need to feel their bank is protecting them. Community banks especially need to be well-prepared so that their customers don’t feel they need to go to a big bank with a big security budget to be protected.”

Kyle Kunnen, senior vice president and information security officer for $3.14 billion-asset Mercantile Bank of Michigan, says having an incident response plan is as important as having a recovery plan for natural disasters, especially since cybersecurity incidents are far more frequent. “The threat landscape has changed dramatically over the years,” Kunnen says. “The days of hackers trying to prove to themselves and others they can do something is long gone. … Every one of these bad actors is after your data, intelligence, anything that will make or save them money or push their agenda.”

Jackie Marshall, senior manager of consulting services at ProfitStars, agrees that cyber-resiliency among banks partially depends on an established arsenal of response and recovery plans. “Cyberattackers’ goals may be financially motivated. Bank and bank customers’ data are some of the most desirable targets for cybercriminals,” she says.

Preparing a plan

The first step in planning for a breach is clarifying what exactly constitutes an incident “so that employees are able to recognize a potential incident and get incident responders involved promptly,” says Timothy P. Ryan, principal for EY Fraud Investigation and Dispute Services. Ryan advises that every incident response plan include “well-defined escalation procedures detailing the steps the company will go through to escalate potential incidents for analysis and response.”

Next, a response plan will detail who will do what, and when. “A robust incident response plan outlines a variety of policies and processes for security teams to remediate, recover and quickly get back to business,” explains Itzik Kotler, chief technology officer and cofounder of SafeBreach, which has developed a simulated breach and attack platform. “Because community banks and other financial institutions are subject to a number of compliance laws, an incident response plan is critical to ensure that they can rebound quickly and are not subject to regulatory fines.”

Ryan agrees. “Like almost any type of crisis, the more you can anticipate and prepare, the better the outcome will be,” he says, adding that each employee’s understanding of his or her role in the incident response plan is crucial. Ryan says a solid plan “lays out the escalation process to keep management informed and involved, and details the methodologies and preapproved vendors so they can be mobilized quickly.”

An incident response plan should consider the most common potential IT security threats and how to deal with them, experts say. For community banks, Marshall says this includes plans for dealing with ransomware, commercial account takeover and distributed denial-of-service (DDoS) attacks.

Kunnen adds that any plan should also be easily adaptable to the situation at hand. “Firefighters spend much more time preparing for when the alarm goes off, so when it does, they are in their gear and on the way in record time to fight a fire which they have prepared to battle,” he says.

“Customers need to feel their bank is protecting them. Community banks especially need to be well-prepared so that their customers don’t feel they need to go to a big bank with a big security budget to be protected.”

With that idea in mind, Kunnen and other industry experts encourage community banks to make sure their incident response plan isn’t just a document to appease the regulators. “It needs to be a tabletop exercise that should lead to a functional exercise, making sure you are able to truly do what you claim is possible and adjust where necessary,” he advises.

Similarly, Richard Roscher, sales manager in the fintech space at First Data Corp., points out that “a data breach can not only hurt your customer, it hurts your financial institution as a whole due to customer confidence.” He recommends researching the latest fraud security products for financial institutions, since they improve every year.

All hands on deck

Julig believes the main tenet of any incident response plan is teamwork, usually led by the chief information security officer. “The first time [IT security] meets the bank counsel should not be during an actual incident response,” he says.

Steve Sanders, vice president of internal audit for Computer Services, Inc., believes an often-overlooked plan component is communication. “How will the bank communicate with their customers, vendors, regulators and the media?” Sanders asks. “What is the message, and how is that message vetted before distribution? Who delivers the message, and are all other employees well-trained to know they are not to speak to anyone about the incident without clear instructions from an authorized party within the bank?”

While cyberattacks can sometimes feel like a “future” problem, the threat is real right now, so a clear and practical plan is a business imperative for community banks.

Incident response in four steps

Itzik Kotler, SafeBreach CTO and cofounder, offers his tips:

1. Diagnose the issue. Security teams need to determine if this task will be performed by an internal team or outsourced to a managed service provider.

2 Collect forensics data. Just like with crime scenes, the most important thing to do is ensure all information related to the incident is collected. This not only determines the right remediation activities, it also prevents future incidents.

3 Communicate the incident. A communication plan must be defined to notify affected customers and legal entities. Security teams will need to work with their PR and legal firms to brief all the proper stakeholders, including the CEO and board.

4 Conduct a post-breach analysis. This measures metrics such as time to detect, time to recover and time to respond in order to improve performance during future incidents.

What is Sheltered Harbor?

Launched last year, the Sheltered Harbor initiative allows financial institutions to store their critical account data in an encrypted, secure vault, keeping it safe in the event of a data breach. Should a bank experience a breach, it would work with a “restoring institution”—another member—to access its vault and the secured customer data within, and maintain customer account access. ICBA is one of the US financial services industry participants that have worked to make Sheltered Harbor a reality.

“We have been involved since the start, and we are members of the board,” says Jeremy Dalpiaz, ICBA assistant vice president for cyber and data security policy. “Because this is an industry-led initiative, that is the benefit. It is very focused on the customer.”

Dalpiaz highly recommends that community banks invest in this kind of resiliency. “Community banks are a trusted financial resource, and there is trust in relationship banking,” he says. “It is pivotal to secure customer data to keep that trust should a breach happen.”

To learn more about Sheltered Harbor or sign up, visit

Karen Epper Hoffman is a writer in Washington state.