Lessons Learned: Wargaming Your Incident Response Plan

Data breaches and cyber incidents made headlines again recently with the announcement that 50 million Facebook accounts were compromised as well as the SEC’s issuance of sanctions against a dual registrant stemming from the firm’s response to phishing attacks. So it was both timely and fitting that U.S. intelligence community veteran Jeff Welgan, Executive Director and Head of Executive Training Programs at Cybervista, kicked off the Ascendant/CSS compliance conference in San Diego with an interactive workshop on incident response, “Cyber Incidents and Response: Keeping Cool in the Line of Fire.”

Joining Mr. Welgan was E.J. Yerzak, Director of Cyber IT Services at CSS, who provided context for the wargaming workshop by discussing the current cybersecurity landscape. Mr. Yerzak noted that phishing continues to be the leading attack vector as people are the biggest cyber risk and even smart people can make mistakes when it comes to security awareness. In addition, malware continues to evolve as hackers try to stay one step ahead of detection capabilities.

Since it only takes one employee to compromise a firm, testing your incident response plan with tabletop exercises and wargaming under time constraints is key to avoiding complacency and maintaining the ability to think critically during a crisis. Mr. Welgan gave each attendee a very specific role to play at a fictitious firm, placing them directly in the data breach scenario as it unfolded, and challenged attendees to step outside their comfort zones in making critical decisions quickly while balancing competing business priorities and incorporating new facts.

Attendees rose to the challenge and helped navigate their fictitious firm through its incident response and recovery efforts. And in the process, the wargaming workshop revealed some helpful takeaways for firms to consider going forward, including:

  • Paying a bitcoin ransom is generally not a good idea, but some firms do pay it if the cost-benefit analysis tilts in favor of that action
  • Cyber incidents can rapidly increase in scope and complexity as additional facts are learned
  • The costs of a cyber incident can range from financial payout (ransom) to downtime, lost productivity, forensic investigation costs, and repair and recovery costs, as noted in the SEC’s Interpretive Guidance on Cybersecurity Disclosure from Feb. 2018

Coordination of response efforts involves multiple roles and perspectives, but ultimately, someone must make a decision and be sufficiently authorized to put it in motion.

Related Content

Latest Content

Coming to America – California Adopts GDPR-Like Privacy Regulation

After a number of firms struggled last year to get their marketing and information systems into compliance with the EU’s General Data Protection Regulation (GDPR), advisers to U.S. clients will soon be facing similar requirements on the home front.  On the heels of the Cambridge Analytica scandal, California enacted the California Consumer Privacy Act of … Continued

SEC and FINRA 2019 Examination Priorities

The SEC and FINRA have recently released their examination priorities for 2019. These releases provide insight into regulatory priorities and serve as guidance for a firm in evaluating its compliance program. We will discuss topics covered in these releases, including: Protecting retail investors Fees and expenses Disclosure Conflicts of interest Suitability Protecting senior investors Trading … Continued

SEC Reopened After 35-Day Government Shutdown

SEC Chairman Jay Clayton announced on Saturday, January 26 that with an agreement reached to end the government shutdown, the “Commission has resumed normal staffing levels and is returning to normal operations.” In total, about 94% of the commission’s approximately 4,400 employees had been furloughed during the 35-day shutdown, according to its operations plan. In a … Continued

FINRA Rolls Out New Central Registration Depository Functionality; Annual Verification Deadline Nears

FINRA first introduced enhancements to the Central Registration Depository (“CRD”) on October 1, 2018, which were rolled out in support of FINRA’s restructured qualification examination program as well as the adoption of consolidated FINRA registration rules. The new enhancements were intended to also more easily assist member firms with satisfying their reporting and compliance obligations. … Continued

SEC’s Latest Risk Alert Focuses on Electronic Communications

The SEC’s most recent risk alert, “Observations from Investment Adviser Examinations Relating to Electronic Messaging,” issued on December 14, 2019, focuses on the use and maintenance of electronic communications for business purposes. The purpose of the alert is to remind advisers of their obligations related to personal use of electronic messaging and the requirements for … Continued

Mailing List

Subscribe to the Ascendant Compliance email list for the latest compliance resources, conferences, ComplianceCasts™, and more.

Loading form...

Contact Us

Ascendant works together with clients to identify and assess critical needs through customized plans. If you need assistance with compliance functions, regulatory services, cybersecurity or technology tools, we’d love to speak with you.