KBA March/April 2019For many financial institutions, Business Continuity Plan (BCP) tests are easy to identify and trivial to document as senior management is familiar with the concept and the tests occur on a fairly frequent basis, either because they are scheduled in advance or because Internet/phone/power outages happen to every business at some point. When it comes to the Incident Response Plan (IRP) tests, however, the situation is not so clear. Whether this is because the FFIEC actually includes Incident Response Testing as part of the Business Continuity Planning Booklet or because, like things that happen in Vegas, incidents aren't spoken of after they occur. Additionally, it may depend on who you ask and if there's any resulting reputational damage, just to make things even muddier.

What's the difference?

The first step in making IRP tests a little easier to understand is to define what an incident is and how it differs from any other BCP situation. The FFIEC defines a security incident as "the attempted or successful unauthorized access, use, modification, or destruction of information systems or customer data.[1]" From this description, an incident directly affects the confidentiality, integrity, or availability of systems or data. Examples of incidents include the following:

  • Computer penetration attempts
  • Unauthorized account use
  • Ransomware
  • Stolen laptop
  • Fraudulent wire requests

In contrast, most BCP tests only address the availability of systems or data to ensure a business function or process can either continue or be restarted. When discussing and documenting a server restoration or recovery from a power outage, the topic of data confidentiality or integrity doesn't come up. All that matters is successfully restoring availability so the institution can be fully operational.

How are they similar?

Although the impact to data is different, the steps to take after either type of test are similar, [JS2]  but may vary by institution and should be described in detail in a documented, Board-approved Incident Response Plan.  If an institution does not currently have an IRP in place or wants additional guidance, a great place to look is the Incident Identification and Assessment[2] and Incident Response[3] sections of the FFIEC Information Security Booklet. In general, the following need to occur once a suspected or actual incident is identified:

  • Notification of Response Team
    • The institution should have a team responsible for business continuity as well as a team responsible for incident response. Positions on these teams are typically assigned to management, who can then assign roles as necessary to other employees.
  • Root cause identification and containment
    • You can't stop what you don't know about. It is imperative to not only identify the cause of the incident or business interruption but to ensure no further damage occurs as a result.
  • Notification of Regulators and Law Enforcement
    • Required only under certain situations, such as known loss of institution or customer data/funds.
  • Restoration of compromised data
    • Whether the data has been simply unavailable or if the integrity has been fully compromised, restoring from known, a good backup is a vital process of both types of tests.
  • Documentation
    • If it isn't written down, it didn't occur. Additionally, it's easy to forget details as time passes once the situation has been resolved. WRITE IT DOWN.
  • Lessons learned and Plan modification
    • A plan is only effective if it has been tested and changed based upon test results. Did the current process function as intended or were there hiccups or additional steps that need to be taken? Adjust as needed.
  • Board reporting
    • Just as the Board needs to be aware of any impact to business processes, the members of the Board should also be educated on not only any incidents that did occur, but also on the outcomes and what changes were made as a result. After all, the modified plan has to be approved by them anyway, right?

Test! Test! Test!

The BCP and IRP should be tested for a variety of situations, and both planned and unplanned tests should be included. For members of FS-ISAC, the Cyber-Attack Against Payment Systems[4] (CAPS) Exercise is available as a walkthrough test. Additionally, the FDIC has some videos[5] available that address different scenarios and include questions to help discuss how the institution would handle the same scenario. It's not a question of if, but when, an incident affects the important organization or customer data, and ensuring the plans and procedures are effective when that time comes is the best way to be prepared.


[1] https://ithandbook.ffiec.gov/it-booklets/business-continuity-planning/other-policies,-standards-and-processes/incident-response.aspx

[2] https://ithandbook.ffiec.gov/it-booklets/information-security/iii-security-operations/iiic-incident-identification-and-assessment.aspx

[3] https://ithandbook.ffiec.gov/it-booklets/information-security/iii-security-operations/iiid-incident-response.aspx

[4] https://www.fsisac.com/Exercises-CAPS

[5] https://www.fdic.gov/regulations/resources/director/technical/cyber/purpose.html