How Is Your Incident Response Plan?

67% of small businesses in the U.S. do not have an incident response plan.

Here’s what the FTC’s Safeguards Rule says your incident response plan should include.

4/10/2023 2:30 P.M.

According to a report by Shred-it, 63% of C-level executives and 67% of small businesses in the U.S. do not have an incident response plan. Are you one of those?

If you are a business that needs to comply with the FTC Safeguards Rule (that collects data on more than 5,000 customers), you need to have a written incident response plan. What if you don’t meet the 5K threshold? You should still have it. Why?

First, financial institutions are a top target for cyber criminals due to the valuable, sensitive information they hold. Without a well-designed incident response plan, companies risk significant financial loss, damage to their reputation and even legal consequences.

What is an incident response plan?

An incident response plan is a comprehensive document that outlines how a company would respond to a security event. The FTC says in the text of the rule, “Every business needs a ‘What if?’ response and recovery plan in place in case it experiences what the Rule calls a security event – an episode resulting in unauthorized access to or misuse of information stored on your system or maintained in physical form.”

What should it include?

Here is what your plan should include, based on Section 314.4(h) of the Safeguards Rule:

  • The goals of your plan;
  • The internal processes your company will activate in response to a security event;
  • Clear roles, responsibilities, and levels of decision-making authority;
  • Communications and information sharing both inside and outside your company;
  • A process to fix any identified weaknesses in your systems and controls;
  • Procedures for documenting and reporting security events and your company’s response; and
  • post mortem of what happened and a revision of your incident response plan and information security program based on what you learned.

While not specified in the text of the rule, it’s also a good idea to include provisions for regular training of all members of the incident response team and testing the plan to ensure it’s still effective and current.

As cyber threats change and evolve quickly, the plan needs to be reviewed periodically, ideally every six months.

You can find more information on what to include in the TPx’s FTC Safeguards eBook.

If your team is stretched thin or lacks the expertise, TPx can generate an incident response plan or evaluate your current one to ensure defensibility for the FTC Safeguards Rule requirements. Go to to get started.

A solid incident response plan helps protect your business against cyberattacks, prepare for unexpected incidents, and minimize the impact of any incidents that do occur. With a comprehensive plan in place, you can protect your clients’ data and maintain your reputation as a trustworthy and reliable institution.

If you have executive leadership updates or other member news to share with ACA, contact our communications department at [email protected]. View our publications page for more information and our news submission guidelines here.




One moment please...

Share Profile

This site uses cookies. By continuing to use our site, you are agreeing to our use of cookies. Review our Privacy Policy for more information. You may change your preferences on how cookies are stored by reviewing the settings on your browser.

The content on this site is presented for educational, general reference, and informational purposes only; is not intended to serve as legal or other advice; is not intended to be a full and exhaustive explanation of the law in any area; and should not replace the advice of your own legal counsel. By continuing to use our site, you are agreeing to the legal disclaimers in our Terms of Use. Review our Terms of Use for more information.

Friendly Reminder

Get continued access to ACA International’s wide array of resources, which can help you become more profitable, compliant and successful.

Renew your membership today to take advantage of tools you won’t find anywhere else:

  • Discounts on seminars, products, services and events
  • Resources to strengthen your compliance department
  • Industry-specific risk management products and services
  • Participation in ACA’s online community, The Hub
    Members-only website content
  • Professional development and training opportunities, and so much more!

If you have completed your renewal, please disregard this reminder.