Cyber incident management: is your financial services firm ready?

We’re living in a world where disruptive incidents, geopolitical crises, persistent cyber attacks, and economic uncertainty are increasingly the norm. Businesses’ operating environments are becoming increasingly complex, and so are the technology and partner ecosystems they rely on.

Financial services organisations face an additional challenge. As well as navigating this complexity and volatility, they must also respond to a fast-evolving global regulatory agenda focused on the digital resilience of their businesses.

Just last week, UK regulators published parallel consultation papers on Operational Incident and Third Party Reporting, aimed at setting out clearer expectations for firms on how and when to inform regulators about operational incidents. Alongside other regulations such as the EU’s Digital Operational Resilience Act (DORA), the NIS2 Directive, APRA’s CPG 234 in Australia and the SEC’s Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule, financial services firms are under continuous and intensifying pressure from regulators to ensure digital resilience.

An interconnected landscape

This broad-ranging regulatory landscape recognises and seeks to mitigate a key risk: incidents no longer stop at an organisation’s borders. A singular software update pushed out by security firm CrowdStrike in July 2024 caused outages globally, impacting around 8.5 million Windows devices, leaving flights grounded, hospital records inaccessible, and businesses unable to open.

To survive and thrive in this environment, you need to be aware of the types of threats you face and the impacts that these can have on your systems and those of your providers. You need to put in place the right plans, processes, and playbooks to embed resilience across your technology, processes, and people. And, of course, you need to do all this while competing in a fast-changing marketplace.

Three essential actions for risk readiness

So where should you concentrate your efforts? We’ve identified three areas for you to focus your efforts based on our experience working with financial services organisations across the world.

1. UNDERSTAND: Get familiar with regulatory scope and reporting requirements

First and foremost, you need to understand which regulations apply to your business and what the scope of those regulations will be – for your own operations and for the providers on which you depend. 

For example, DORA has specific requirements for major incident management reporting and cyber incident reporting. Following the detection of a major incident, you’re required to submit notifications and reports to the authorities within a certain timeframe. The regulation also provides details on the content of each notification or report, a prescribed template, and a glossary defining the specific terms.

More recently, the Financial Stability Board published a consultation on incident reporting exchange, which looks to standardise reporting of operational incidents. The consultation report sets out 99 potential information items that, if adopted by authorities, would become requirements for firms. 

What’s more, last week UK regulators published parallel consultations on operational incident and third party reporting, which sets out a proposed definition of an incident, as well as thresholds for determining important business services, a proposed incident reporting process, and factors firms should consider in assessing an incident’s impact.

It’s therefore vital that you identify and become familiar with these evolving regulatory reporting requirements – as well as build the capabilities needed to meet them. This includes reviewing all relevant reporting timelines and deadlines, as well as in-scope systems and processes.  

It’s also essential to build teams with the right digital forensics and e-discovery skills and capabilities required to provide accurate metrics for incident reporting. You need to develop mechanisms that provide clarity on any and all actions needed to mitigate the risks an incident creates. 

To coordinate these efforts and ensure enterprise-wide alignment, you should consider establishing the role of incident manager - responsible for managing and resolving incidents that disrupt normal business operations. You might also want to consider delivering regulation-led training for board members to ensure accountability at every level.

When working with clients, we always suggest building a resilience-driven operating model that not only meets regulatory requirements, but also ensures the continued resilience of the business. Regulation isn’t just about meeting compliance deadlines, it’s about building threat frameworks that successfully identify, assess, and mitigate risks before they become serious incidents.

2. PLAN: Embed a structured approach to incident management

As you focus on refining your ICT incident management framework and ensuring its alignment to broader enterprise risk management, you need to put in place a structured incident response approach. 

This includes establishing appropriate plans, procedures, and processes, determining the likely impacts of incidents on your critical and important functions (CIFs), and identifying the maximum tolerable levels of disruption for each one (their ‘impact tolerance’). Your incident management plan should outline how you’ll respond to incidents, including how to identify, contain, and minimise the impact of security breaches. It should also include how to communicate with stakeholders during and after an incident.  

There should also be a complimentary cyber security incident management plan as the nature of these incidents differ from other ICT incidents. For example, in ransomware attacks, it’s important to segregate infected machines rather than shutdown to help preserve forensic evidence that; one, will aid incident management reporting to the regulator, and two, help identify where the malicious software may have spread.

Procedures for detecting, managing, and reporting incidents should include how to identify and document the root causes of incidents to prevent them from reoccurring. And processes need to be put in place for classifying incidents as major or significant, and reporting them to the regulator, clients, or the public as appropriate. You should make sure your documentation and procedures are detailed enough that they meet regulatory requirements but not overly prescriptive that they’re constraining.

You also need to be clear about all key stakeholders across the incident management lifecycle. When working with clients, we often start by establishing roles and responsibilities among our key stakeholders. This means identifying who they are, where they’re located, and what their obligations should be. This imperative encompasses all relevant parties within your own organisation, together with third-party providers (including cyber insurers) and, potentially, their partners too. You want to make sure that they’re all confident and properly equipped with the processes, authority, and knowledge needed to run incident response and able to access all relevant documentation.

For cyber incidents, in particular, you should ensure your plans contain a list of critical services to help prioritise recovery as well as arrangements for the crisis management team to communicate with each other if systems are unavailable. It’s also advisable that you have a set of supporting playbooks that structure the technical teams response, providing a step-by-step to managing the incident from detection, triage and analysis, containment and eradication, and recovery.

3. EXERCISE: Stress-test resilience and learn from experience

When crises occur, it’s human nature for people to enter ‘fight or flight’ mode, relying on their gut instinct to deal with the situation. That’s why conducting incident simulation exercises are so important. Having developed the plans, procedures, and processes that you need to respond to incidents, make sure your teams – at all levels – understand how well these will perform under pressure and develop the muscle memory to roll them out quickly.

Your top priorities should include: 

• Training and upskilling your people (from the CEO and executive team through to the technical teams responsible for ‘keeping the lights on’) so they understand what their role is when an incident occurs and how they perform under pressure, with opportunities for key players to maintain certifications and keep core skills current. This should include delegates, who are identified as deputies, but who may need to step up into a primary role within the crisis management team.
• Creating a ‘gold command team’ comprised of senior executives/C-suite that will take overall command and control of incidents when they occur. Often, these individuals are a non-cyber specific crisis team, providing a structured hierarchical framework, with operational clarity for incident management responses.
• Regularly exercising and stress-testing your incident response plans in realistic scenarios to identify any gaps, capture lessons learned, and assess their overall practicality.
• Developing playbooks/runbooks built on lessons learned from stress testing and embedding this experience into your incident management capability to support ongoing improvement.

You should review scenarios to make sure you stress-test the appropriate area of risk. For instance, a cyber attack is often popular with firms given it features highly on the enterprise risk register for many boards. Scenarios should reflect the latest tactics, tools, and techniques leveraged by threat attackers and should be tailored to your organisation’s technology environment to ensure the scenario is credible.

Your exercising should extend to critical third parties (and, where appropriate, their providers too) to demonstrate holistic capability. You’ll also need to implement and maintain appropriate controls to evidence third-party incident response capabilities on an ongoing basis.

Readiness is everything

Approaching incident management as a tick-box exercise is no longer viable. You need to start preparing for something that may well happen. It’s a continuous process that you must incrementally review and adjust. For cyber incidents, data and system back-ups are a non-negotiable. In the event of disruptive attacks, skipping out on this could leave you in a position where you're unable to recover critical services and forced to pay a ransom.

This ongoing recalibration should flow from conversations with the regulators, with internal stakeholders, and with third-party providers. The bottom line: in today’s cascading risk landscape, where actions by third parties can rapidly impact the resilience of your own operations, setting up effective incident management can never be a ‘one-and-done’ exercise.

How Baringa can help

At Baringa, we bring real-world experience in managing global incidents across industry and government to rapidly enhance your response capabilities and embed digital risk management at the heart of your operations.

Whether it’s identifying your critical assets, building robust incident management frameworks, or upskilling and exercising your people, we help you navigate the uncertainties of an incident with confidence, enabling you to innovate safely.

We combine technical expertise with deep industry knowledge to earn trust from both your leadership and technology teams. And our unbiased advice ensures you invest only in what’s necessary to secure your firm. 

Want to put your firm’s resilience to the test? Get in touch.