Here’s what the FTC’s Safeguards Rule says your incident response plan should include.
4/10/2023 2:30 P.M.
According to a report by Shred-it, 63% of C-level executives and 67% of small businesses in the U.S. do not have an incident response plan. Are you one of those?
If you are a business that needs to comply with the FTC Safeguards Rule (that collects data on more than 5,000 customers), you need to have a written incident response plan. What if you don’t meet the 5K threshold? You should still have it. Why?
First, financial institutions are a top target for cyber criminals due to the valuable, sensitive information they hold. Without a well-designed incident response plan, companies risk significant financial loss, damage to their reputation and even legal consequences.
What is an incident response plan?
An incident response plan is a comprehensive document that outlines how a company would respond to a security event. The FTC says in the text of the rule, “Every business needs a ‘What if?’ response and recovery plan in place in case it experiences what the Rule calls a security event – an episode resulting in unauthorized access to or misuse of information stored on your system or maintained in physical form.”
What should it include?
Here is what your plan should include, based on Section 314.4(h) of the Safeguards Rule:
- The goals of your plan;
- The internal processes your company will activate in response to a security event;
- Clear roles, responsibilities, and levels of decision-making authority;
- Communications and information sharing both inside and outside your company;
- A process to fix any identified weaknesses in your systems and controls;
- Procedures for documenting and reporting security events and your company’s response; and
- A post mortem of what happened and a revision of your incident response plan and information security program based on what you learned.
While not specified in the text of the rule, it’s also a good idea to include provisions for regular training of all members of the incident response team and testing the plan to ensure it’s still effective and current.
As cyber threats change and evolve quickly, the plan needs to be reviewed periodically, ideally every six months.
You can find more information on what to include in the TPx’s FTC Safeguards eBook.
If your team is stretched thin or lacks the expertise, TPx can generate an incident response plan or evaluate your current one to ensure defensibility for the FTC Safeguards Rule requirements. Go to tpx.com/aca to get started.
A solid incident response plan helps protect your business against cyberattacks, prepare for unexpected incidents, and minimize the impact of any incidents that do occur. With a comprehensive plan in place, you can protect your clients’ data and maintain your reputation as a trustworthy and reliable institution.