Contact us: 888-996-4642 |

How Good is Your Incident Response Plan?

The emphasis on cyber security strategy has changed lately. Companies are under constant attack and no matter how good your security system is, it only takes one weak link to get in. Knowing that, most cyber security experts have shifted their strategy. The focus is no longer on keeping criminals out of your network, or protecting the perimeter, because given enough time they will get in. Rather, companies are now focusing their energy on how fast they can identify a breach, compartmentalizing their data so even if there is a breach they don’t get access to the whole system, and having a solid incident response plan so that if data is stolen, firms know what to do to minimize the damage.

For RIA firms, having a strong Incident Response Plan is even more important because it is one of the 6 key areas of focus for the SEC Cyber Security Exam this year.

But, what is an Incident Response Plan? Did you ever have to create a Family Emergency Escape Plan with your kids? We had to create one with our kids for a class outlining with the family would do in case of an emergency like a tornado or fire. We had to outline who we would call, where we would go, and what supplies we needed to take with us.

For your IT people, an Incident Response Plan does the same thing. If a worst-case scenario were to occur, your plan would detail who is on the emergency team, what their responsibilities are, and the steps to be taken to protect the firm.

Three Key Components

A strong Incident Response Plan has three key components – breach identification, data collection, and action. The SEC will want to see the policies and procedures you have outlined for all three components should your firm and your clients’ data be subject to a cyber attack.

Some good resources to develop a robust plan include the NIST’s “Framework for Improving Critical Infrastructure Cybersecurity.” This provides a coherent framework for developing cyber security policy and procedures. Another is NIST Special Publication 800-30, “Guide for Conducting Risk Assessments – Information Security.” Both offer great advice for creating cyber security policies and procedures. However, these documents can be pretty technical.

Here’s a more high-level guide for Executives of RIA firms to understand the key components of a good Incident Response Plan so they know what they need to do to protect their firm and meet compliance standards.

Breach Identification

Basically, what systems and measures do you have in place to alert your IT team if your system has been hacked? And, if you have been hacked, how do you know if it is a critical security incident? Some breaches need to be addressed immediately while others could be left alone. Most cyber breaches occur over a period of time and companies can thwart them in several ways even if they have gotten through the perimeter of your defenses. So even though a hacker may have accessed your system it doesn’t mean that they got their hands on critical or sensitive information.

Your IT team needs to take on the role of a “forensics team” and probably bring in outside counsel to look for the clues, patterns, and methodology of the crime.

So in this section of your plan, you’ll need to provide guidelines to your forensics team to determine and document the scope, priority, and impact of a breach.

RIA firms should definitely use security monitoring tools to identify any suspicious behavior that requires further investigation. But as we have said, cyber security is not only a technology issue. It is a social issue. With proper training, every one of your employees is your first line of defense against a cyber attack. Train them to identify and not be afraid to report suspicious behavior.

Data Collection

To comply with the SEC’s Cyber Security Exam standards, it will be important to show that your firm is logging enough data on your network activity that a forensics team could see where the network was breached and what was taken.

When a breach occurs, the forensics team will need to document what information was affected, when the breach occurred, how the hacker got in, how long did they have access to your system, and what changes can be made to your system to prevent it from ever happening again.

Forms and checklists could be invaluable for collecting incident data. provides some good sample incident report forms.


Finally, if your network has been compromised and prioritized as critical, what is the response plan? Who needs to be called? What triage or fixes need to be made to the system? Do customers need to be notified about the breach? How will that be handled? Who will make the calls? What part of your system needs to be contained, eradicated, or recovered?

Having an action plan to follow with responsibilities outlined will keep everyone on your forensics team calm and collected and more importantly empowered to protect the firm and get business back to usual.

Need help creating an Incident Response Plan? Give us a call at 224-563-3602. We’d be happy to talk you through best practices and share how our new solution AdvisorGuard™ was designed specifically to give RIA firms the data needed to identify breaches, collect data for a forensic team, and comply with SEC mandates.


You’ll Also Like:

Cyber Security Preparedness is No Longer Just a Best Practice

3 Ways to Keep Your RIA Firm Cyber Secure When Employees Travel

5 Things RIA Firm CEOs Need to Know About Cyber Security