Journal of Financial Planning: August 2019
Brian Edelman is a nationally recognized cybersecurity expert specializing in the financial services industry. He is CEO of FCI, a managed security service provider that offers cybersecurity solutions for financial services firms. He is also the FPA Coaches Corner coach for cybersecurity.
JOIN THE DISCUSSION: Discuss this article with fellow FPA Members through FPA's Knowledge Circles.
Given today’s new and evolving cyber threats, chances are that your company has or will be the target of an attack, putting sensitive information at risk. No country, industry, community, or individual is immune to cyber risks, and the impact of a mishandled response is significant and more costly than ever.
Since our way of life depends on infrastructure and on the digital technology that operates it, it is crucial that companies place cybersecurity as a top priority and put a system in place to protect financial advisers, staff, and client data. My firm created a data breach incident response toolkit to provide guidance and a framework to create a systemized plan in the occurrence of a data breach. This column shares the fundamentals of that toolkit, which can be accessed online through the FPA Coaches Corner (OneFPA.org/CoachesCorner).
Elements of a Data Breach
Almost every business is now collecting or holding personal identifiable information (PII) that belongs to clients, customers, employees, business partners, etc. PII includes: Social Security number; name; address; date of birth; account numbers (checking, credit, etc.); email address; and passwords. When PII falls into the wrong hands, it puts people at a risk for identity theft.
A data breach can occur in four ways:
Theft or loss of equipment. Equipment that stores data, such as a laptop or hard drives, can result in a data breach if they’ve gone missing and get into the wrong hands.
Illegal hacking or hijacking. This includes illegal access to PII through means of hacking into a computer or through hijacking computers with viruses, trojans, etc., that can steal data, infect it, or overload the systems once inside.
Human error. A data breach can occur through a disgruntled former employee or even through an untrained employee who was not properly taught on ways to keep information safe and to avoid phishing scams.
Inadequate security or negligence. Necessary precautions that are not taken to safeguard data can result in a data breach.
Preparing for a Data Breach
While data breach prevention should be the primary goal, proactive planning can minimize the impact of a breach when it does occur. An incident response plan should include (but not be limited to) emergency contact lists, law enforcement agency contacts, and a time frame for notification. An incident response team should meet regularly to update that information, discuss any changes in the organization, review any incidents that have occurred, and evaluate the response process.
In the event of a data breach: (1) move swiftly and follow your incident response plan; and (2) document all events, people involved, and discoveries for evidential use.
Questions to ask when a data breach occurs include:
- Was the data encrypted?
- What data was included in the breach?
- Was the data contained?
- Could the exposed information pose any harm to the affected individual?
Building an Incident Response Team
Build an incident response team with representatives from:
Executive management. The firm’s leadership needs to be kept up-to-date during a data breach.
Information technology/risk management and security. Security and IT teams will work with forensic investigators to help identify what information was compromised and how it was compromised.
Customer service/HR. These individuals will play a critical role in the incident if employee or customer notification is determined to be a requirement.
Compliance and audit/legal/privacy. These individuals will be responsible for finding out what is required in the response and determining whether or not affected individuals should be notified and legal requirements around the content of the notification. They will also decide which external organizations should be contacted.
Public relations/marketing. PR and marketing individuals need to be involved in the breach incident. If required, it is crucial to begin notification in a timely manner and the PR/marketing teams need to ensure that consistent messages are shared throughout the response.
When building the incident response team, you must assign an incident response lead—typically from the legal department or the chief compliance officer—to direct and manage the incident response team. This individual will be in frequent contact with the executive management and is the lead for a breach response. This person will coordinate efforts among all groups, notify all appropriate people externally and within the company, and create the documentation and timeline of activities, identify key tasks, and estimate costs.
Creating an Incident Response Plan
The company should have a written incidence response plan (IRP) that is continuously updated with the latest contact lists and other documents. Here is an overview of an IRP:
How is an incident reported and documented? Have a plan in place to document everything. Maintain forensic integrity; treat a data breach like a crime scene. Determine who contacts law enforcement.
Do you know who you are going to call? The internal response team is created. An internal response team emergency contact list exists and is regularly updated.
Are vendor contracts in place? This includes a forensic investigator, a mail house for notification letters, a call center, and consumer identity protection.
What is the process for determining if notification is required? Legal counsel understands laws, timeline obligations, and specific state laws (based on where an individual lives, not the location of the company).
If notification is required, is your organization prepared? What will be said to the public? Who writes and approves the notification letter? How will it be sent? What will be provided to protect the individuals. Do you have call center scripts? What about a website with FAQs and additional information?
How will this effort be funded? Is there a cyber insurance policy in place? If so, what response vendors are approved or covered by the policy?
Sending Notifications of a Data Breach
Depending upon the assessment of the severity, scope, and nature of the data that was compromised, not every incident is going to require the notification of customers and other businesses. If the situation does warrant notification of customers and other businesses, the following information should be taken into consideration:
Notifying affected individuals. If you determine you are going to notify a set of individuals in one state because of a specific law, you should notify all individuals affected in the breach. The general guideline is to treat all affected breach populations equally.
Is your organization exempt from notifying consumers? Organizations may not have to notify affected consumers in the following situations:
- Encrypted data—some states do not require notification if the compromised data is encrypted.
- Questionable misuse—some state laws do not require notification unless there is “reasonable belief” that the breached data has been misused.
- Public availability—if the breached information is already publicly available from a government agency, notification may not be required in some states.
- Doubtful use—in some cases where a breach was stopped and there is reasonable doubt that the information was accessed or used by criminals, some states do not require notification.
Once the decision has been made to notify, the notification letter is a critical element of communication. The fundamental rule of a successful letter is to be open, honest, and direct with the consumer. In addition, the notification information should be well organized and concise. It should be obvious from whom the notification is coming and exactly what action is required of the consumers.
For additional resources from this author, including the complete incident response toolkit that provides a data breach checklist and sample notification letter, see the Cybersecurity area of the FPA Coaches Corner at OneFPA.org/CoachesCorner.