Cyber Incident Reporting Guide: The Top 3 Urgent Postattack Response Steps
By Tim Oppelt
Financial institutions don’t just deal with state laws around consumer data, but also deal with multiple federal laws. The complex part of these compliance efforts is that some of these laws approach things from a consumer protection perspective, while others originated from an interest in maintaining safety and soundness in a highly interconnected system.
So, what should you do in the event you think a system or an email account might be compromised?
- Pull out any cyber insurance you have. Note that the FTC has good resources on the basics of what to review for in cyber insurance policies. Your cyber insurance provider may have incident response coordinators on call to assist you. You can also call law firms like us to help navigate both investigation and compliance. Have counsel help get a handle on what is happening.
- Take efforts with experts to make sure the breach has stopped. If possible, do so in a way that also preserves evidence from the breach. This can include changing passwords and terminating active sessions. It can also include unplugging potentially impacted hardware from any internet connection to prevent spread or further intrusion.
- Take those preservation steps. Preserving logs is important. In many environments, logs are set up to expire as soon as within 7 days after they are recorded. Longer log preservation settings can be of great help in investigations.
Those three things should be done within hours, if not days, of discovery of an issue.
From there, note that financial institutions’ legal obligations will be kicking in. For banks, cyber incidents that would disrupt operations must be reported to the institution’s primary federal regulator within 36 hours. Credit unions, starting September 1, 2023, will have 72 hours from discovery of a reportable cyber incident to report to the NCUA. For credit unions, that includes any substantial loss of confidentiality (so, a successful business email compromise). While previously institutions waited to report to their regulators until they had a handle on the situation, regulatory notices are required before significant facts are often developed. Institutions and their counsel will need to get used to that uncertainty.
Then, the real work begins in the name of consumer protection. Forensic review to nail down the scope of a compromise is followed by careful review of the content of an account for consumer information. The consumer information that can trigger reporting obligations varies by the state where the consumer lives. No matter where your institution is, you have a 50-state compliance effort. This sifting process is where cyber insurance provides a key benefit, with the process of reviewing records requiring leveraging technology as well as significant man-hours.
Cyber insurance also comes into play when sending consumer notices, which generally come with an obligation for credit monitoring or protection tools, and especially when setting up a call center resource trained to respond to the specific issue and incident. While relatively few consumers sign onto those resources or call with questions, a bungled response by your normal call center can significantly increase reputation risk that might arise from consumer perception that your IT infrastructure was vulnerable.
Knowing what tools you have available, and knowing what the first calls to make are, can save significant expense and worry!