Credit unions spend millions ofdollars complying with regulation designed to reduce the risk thatthe use of information technology presents, yet must spend millionsmore on card replacement and other costs to protect their memberswhen a card processor or vendor is breached.

This article covers lessons learned through many breachresponses that can save your organization time and money whenpreparing for and responding to an internal data securitybreach.

Credit union regulatory compliance requirements provide goodtreatment of the IT risk controls necessary to protect members andthe organization from loss. However, the evolving world of cyberthreats requires preparation and vigilance by organizations.

Compliance with regulatory requirements doesn't mean yoursecurity can't be breached. Many times, data breach victimshave clean compliance reports on the day they are breached, due tohow fast the threat landscape changes.

The arms race between information security defense and attackcapabilities continues to escalate. Regulators and industrystandards are hard pressed to address emerging threats that targetgaps in current security practices.

Due to the risk of breach to financial institutions, the FederalFinancial Institution Examination Council IT Handbook stipulatesthat all financial institutions must have an Incident ResponsePlan. This should be any organization's first step in preparing fora data breach.

How your organization defines and creates its Incident ResponsePlan will have a significant impact on the success of a breachresponse. Identifying team members, providing guidance on responseactivities, and addressing the many regulatory and fiduciaryresponsibilities of your organization should be clearly addressed.Testing the plan on a regular, periodic basis and improving it isalso extremely important.

An adequate cyber insurance policy is highly recommended. Databreach response by qualified response vendors can cost tens ofmillions of dollars, depending on the scope of the breach and thesize of your organization.

Ensuring that your policy has adequate coverage amounts, andmost critically, that it provides “first party” coverage, isessential to executing an effective cyber insurance policy. “Firstparty” policies provide your organization with direct reimbursementfor activities such as crisis management, disclosure, remediation,and extra expenses associated with responding to a databreach.

During a data breach, your organization will face manychallenges while resolving the crisis. Understanding the scope ofthe breach, including the number of data records accessed orstolen, and the method that attackers used to access and steal dataare all priorities in the first stage response.

Dealing with regulators, affected members and third parties willrequire dedicated communication channels and staff. Yourresponse team must have resources to contain and eradicate attackerpresence, and must be able to effectively remediate the cause ofthe breach.

For breaches that require in-depth forensic investigation,real-time monitoring, or extensive remediation that exceeds thecapabilities of your organization's IT support staff or vendor, theservices of an incident response vendor will be required to augmentor outright perform response activities.

Developing a relationship with an incident response vendor andexternal legal counsel, before a breach occurs, can provide yourorganization with reduced rates, rapid response and simplifiedcontracting and service delivery when you need it most. Incidentresponse vendors should be engaged through external legal counsel,so that attorney-client privilege can been applied during responseactivities where possible.

Finally and perhaps most importantly, it is critical that seniorleadership and legal counsel stay engaged with the response team,and have direct and frequent access to objective and progressreports. The level at which a response vendor is engaged withinyour organization is critical to reducing the amount of time andcapital required to resolve a breach.

Executive leadership should receive clearly understandable,regular and sufficiently detailed status reports from the responsevendor. A clear communication channel between the response team,vendors, and senior decision makers is a critical successfactor.

As the pace of technology adoption and emerging threats hasincreased, organizations continue to be challenged to meetregulatory requirements and smartly address security concernswithin their budgets. At the same time, data breaches have becomemore frequent. Preparing for them with the proper tools, staff,partners, and plans will dramatically decrease the amount of painfelt during a breach response.

Jason Ingalls,CISA, CISSP, is founder and CEO of Ingalls Information Security inAlexandria, La.