A news story that broke in late June further illustrates that even beyond the desire to heed FFIEC guidance, financial institutions have plenty of incentive to develop an incident response policy and make it a useful document.  According to reports, a computer hacker stole customer information from “over 79 large banks” and uploaded this information to Pastebin.com.  This story is a grim reminder that even with strong security controls, it is still very possible for a financial institution to have private information stolen.

Whether exploiting known vulnerabilities, zero-day vulnerabilities that are not yet publicly acknowledged, or social engineering victims, malicious outsiders intrigued by the challenge, notoriety, and potential financial gain, will continue to hack into computer systems.  Even with state-of-the-art security controls, no financial institution is 100% safe, which illustrates the need for an incident response program.  An incident response program will not help a financial institution prevent a security incident, but it will help mitigate the impact of the worst-case scenario.

A data security incident will undoubtedly result in significant operational, financial, and reputational damage to a victimized financial institution.  Worse, firms failing to respond send the message that they are trying to hide behind the veil of secrecy.  However, if the financial institution is quick to respond and rectify the issue instead of panicking, failing to make a public statement, and refusing to verify that an incident has taken place, it will ultimately look more proactive and less foolish.  A well-crafted incident response policy will instead give the company a blueprint on how to isolate, minimize, and rectify the problem instead of responding irrationally during a time of panic.  The fact that financial institutions are being hacked and the ever-present possibility of zero-day vulnerabilities may indeed be more compelling reasons to develop an incident response policy than regulatory compliance.