Lessons Learned: Wargaming Your Incident Response Plan

Data breaches and cyber incidents made headlines again recently with the announcement that 50 million Facebook accounts were compromised as well as the SEC’s issuance of sanctions against a dual registrant stemming from the firm’s response to phishing attacks. So it was both timely and fitting that U.S. intelligence community veteran Jeff Welgan, Executive Director and Head of Executive Training Programs at Cybervista, kicked off the Ascendant/CSS compliance conference in San Diego with an interactive workshop on incident response, “Cyber Incidents and Response: Keeping Cool in the Line of Fire.”

Joining Mr. Welgan was E.J. Yerzak, Director of Cyber IT Services at CSS, who provided context for the wargaming workshop by discussing the current cybersecurity landscape. Mr. Yerzak noted that phishing continues to be the leading attack vector as people are the biggest cyber risk and even smart people can make mistakes when it comes to security awareness. In addition, malware continues to evolve as hackers try to stay one step ahead of detection capabilities.

Since it only takes one employee to compromise a firm, testing your incident response plan with tabletop exercises and wargaming under time constraints is key to avoiding complacency and maintaining the ability to think critically during a crisis. Mr. Welgan gave each attendee a very specific role to play at a fictitious firm, placing them directly in the data breach scenario as it unfolded, and challenged attendees to step outside their comfort zones in making critical decisions quickly while balancing competing business priorities and incorporating new facts.

Attendees rose to the challenge and helped navigate their fictitious firm through its incident response and recovery efforts. And in the process, the wargaming workshop revealed some helpful takeaways for firms to consider going forward, including:

  • Paying a bitcoin ransom is generally not a good idea, but some firms do pay it if the cost-benefit analysis tilts in favor of that action
  • Cyber incidents can rapidly increase in scope and complexity as additional facts are learned
  • The costs of a cyber incident can range from financial payout (ransom) to downtime, lost productivity, forensic investigation costs, and repair and recovery costs, as noted in the SEC’s Interpretive Guidance on Cybersecurity Disclosure from Feb. 2018

Coordination of response efforts involves multiple roles and perspectives, but ultimately, someone must make a decision and be sufficiently authorized to put it in motion.

Related Content

Latest Content

A New View of How Technology Will Change the Emerging Crytpo-Economy

From the top of the world, it’s amazing what you can see.  I recently had the opportunity to travel to the United Arab Emirates to speak in Dubai at the 7th Edition of the Alternative Investment Management Summit. While I was there, I took a few moments to ride to the top of the Burj … Continued

SEC Retail Investor Focus Turns Towards Registered Investment Companies

Earlier this year when the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) announced its 2018 examination priorities, OCIE stated that a core priority was to protect retail investors, including seniors and individuals saving for retirement. OCIE is now continuing this effort by focusing on mutual funds and exchanged-traded funds (together, the “Funds”) as the … Continued

SEC Alerts Investment Advisers to Review Solicitor Arrangements

On October 31, OCIE issued a new Risk Alert for investment advisers with solicitor arrangements. The SEC periodically releases risk alerts to notify the industry of deficiencies they are finding during examinations, and this latest alert puts investment advisers with solicitor arrangements on notice to check their solicitor agreements, policies and procedures, and disclosure documents. … Continued

Pennsylvania Sounds Warning Bell Over Client Credentials and Custody

The Pennsylvania Department of Banking and Securities (PDOBS) has indicated in recent guidance two concerns related to investment advisers using client credentials to access a custodial account(s). In the letter dated September 25, 2018, PDOBS indicates that the use of client credentials may create custody and is considered to be a dishonest and unethical practice. … Continued

San Diego 2018 Conference Gallery

Ascendant/CSS San Diego Conference Another compliance conference is in the books. We had a great time in San Diego, and we think our attendees did, too. We hope to see you in Miami! (Click on photos to view full size.)  

Mailing List

Subscribe to the Ascendant Compliance email list for the latest compliance resources, conferences, ComplianceCasts™, and more.

Loading form...

Contact Us

Ascendant works together with clients to identify and assess critical needs through customized plans. If you need assistance with compliance functions, regulatory services, cybersecurity or technology tools, we’d love to speak with you.