Cybersecurity Article Series

6 Phases Every Incident Response Plan Should Include

Part two of a two-part article series

The list of companies in the investment management industry that have suffered a data breach is long and growing. Last February, Sequoia Capital fell victim to a data breach when a third party accessed their investor’s personal and financial information after an employee’s email was phished. Sequoia Capital isn’t alone as Limited Partners and General Partners are increasingly being targeted by cyber-criminals. According to Cybersecurity Ventures, by 2025, cyber-crime is expected to cost businesses $10.5 trillion globally annually.

Firms can take steps to minimize the chances of experiencing a cyber incident. In part one of this article series, we discussed three preventative measures firms should take, including arming employees with knowledge on how to identify a cyber threat and what to do if they suspect a breach has occurred.

The hours and days following a data breach are critical, and a well thought out response can be the difference between a successful recovery and a hit to the business. This article will share insight on creating an effective Incident Response Plan (IRP), what steps should be taken, and how best to move forward after an incident occurs.

Six Phases of an Effective Incident Response Plan

There is no one-size-fits-all plan an investment management firm can adopt, but there are shared characteristics every IRP has that will guide the development of a firm’s individual plan. The IRP is a critical document for today’s heightened cybersecurity risk environment as it outlines the steps that should be taken if an incident is discovered, how to evaluate the depth of the breach and how to remediate it. Outlined below are six phases all IRPs should entail to help teams recognize and deal with a cybersecurity incident. The six phases are:

  1. Preparation
  2. Identification
  3. Containment
  4. Elimination
  5. Recovery
  6. Lessons Learned

Let’s examine each stage closer.

Phase 1 | Preparation

Phase 1 is the most crucial phase of a firm’s incident response planning. The plan should be well documented, and all involved parties should understand their roles and responsibilities. The plan should also be tested to ensure employees receive proper training and know what to do if an incident occurs.

The preparation phase should focus on the following three action points:

  1. Conduct in depth training to ensure employees are knowledgeable of their role in the event of a data breach.
  2. Perform mock breaches to evaluate the effectiveness of the IRP and employee training.
  3. Ensure all components of the IRP are documented and assigned to the responsible party.

Phase 2 | Identification

The next phase of the incident response plan determines whether there has been an incident. Questions that should be asked during this phase include:

  1. When did the event occur?
  2. How was it discovered?
  3. Who discovered it?
  4. Have any other areas of the business been impacted?
  5. What is the scope of the data breach?
  6. Will it impact the day-to-day operations?
  7. Has the point of entry been identified?

Phase 3 | Containment

Most firms that fall victim to a cyber incident immediately delete the affected files to get rid of the contamination. But this is opposite of what should be done as deleting files destroys evidence needed to determine where the breach started.

Firms should instead focus on containing the breach, so it doesn’t cause further damage. If possible, disconnect affected devices from the internet and restore business operations by applying system back-ups. This is also the time for a firm’s IT team to update and patch systems, review remote access protocols and change all user and administrative login credentials.

Step 4 | Elimination

Once the issue has been determined, the root cause of the breach must be eliminated. This requires all malware to be securely removed, systems to be patched, and system and security updates to be applied.

Step 5 | Recovery

This next phase of the plan is when the restored and affected systems and devices are brought back into the business environment. This is also the time when a firm needs to get comfortable with operations and systems running again without fear of another breach.

Step 6 | Lessons Learned

Once the investigation is complete, hold a meeting with all involved parties to discuss lessons learned and how to prevent another breach from occurring. Determine what worked well in the response plan and where improvement can be made. Some questions to discuss are:

  1. What changes need to be made to security?
  2. How can we improve employee training?
  3. What weaknesses did the breach expose?
  4. How can another breach be prevented?

Remember, the IRP is not a static document. Any response to an incident will provide lessons on where improvements can be made. A periodic schedule for updating the IRP should be put in place to ensure it is effective in responding to today’s threat.

The Importance of Having an IRP

Increasing threats of cyber-attacks on both firms and investors and increased regulatory scrutiny make it imperative for firms to have a fully developed and tested IRP. Cybersecurity is drawing increased attention from the Securities and Exchange Commission (SEC), which recently issued proposed rules for private fund managers. It is imperative for firms to take effective action now so they are prepared with a plan should a cyber breach occur.

Scroll to Top