The latest SEC rules have an underlying theme: they all include requirements for covered entities to respond to and report cybersecurity incidents. This also includes requirements to have a written incident response plan. And while having an incident response plan has been a “best practice” for some time, the SEC’s rules may subject the contents of that plan to greater regulatory scrutiny.
It is critically important for firms to revisit and refine their written incident response plans.
In evaluating your incident response plan, several critical considerations include:
- Who is part of your response team? Do you have representatives from the appropriate divisions? This should include not just your IT team, but also stakeholders from throughout the organization, including legal, public relations, human resources, operations, and representatives of the C-suite.
- How will you classify the severity of an incident? This will largely depend on how your most critical assets and operations are affected by an incident. How does your response differ depending on the severity of an incident?
- Who has to be notified internally and when? It is critically important to control information about an incident due to the effect it can have on liability and potential class-action lawsuits. Incident response plans have to include notification procedures for management, boards, and customer-facing personnel.
- When do you need to notify regulators and/or law enforcement? Cybersecurity reporting regulations and statutes are constantly changing and can vary significantly among geographic regions and sectors. That means incident response plans have to be updated regularly and reviewed by competent legal counsel to ensure compliance in the event of an incident.
- What other third parties must be involved to contain and control the incident? Vetting and retaining competent outside legal counsel, insurers, forensic vendors, e-discovery firms, and/or marketing/PR providers before any incident will allow for an efficient and timely response and recovery.
- When do you need to notify customers? All 50 states, various federal and industry-specific regulations, and international legal frameworks mandate individual notification requirements. Depending on the scope of the incident, each of these requirements may have to be taken into consideration and incorporated into your incident response plan.
Utilize this checklist as a foundation for any ongoing cybersecurity compliance plan for your advisory firm. Our industry continues to evolve best practices and increase compliance complexity – that’s why having a plan is always important, but revisit that plan remains paramount. Support from advisory compliance software solution providers like Smartria, can help eliminate the noise, and ensure your business is always prepared for the unknown.
Learn more about Smartria’s core capabilities.