Fortifying financial services – The must-have cybersecurity incident response plan

By António Vasconcelos, Senior Staff Product Manager, XDR, at SentinelOne


Financial services organisations are prime targets for cyber attacks, as they provide access to a treasure trove of sensitive financial data and often hold significant assets. For bad actors, finance crime does indeed pay, with an average cost of $5.97 million per data breach in the finance industry – the highest of any industry, apart from healthcare.

When it comes to defending against cyberattacks, having a comprehensive incident response plan is a vital, yet often overlooked, line of defence. An incident response plan can help protect critical systems and data and mitigate the damage caused by cyber incidents by outlining procedures for detecting, analysing, and responding to cyber threats quickly and effectively.

But what are the key elements of an effective plan and how can organisations ensure they are prepared against cybersecurity threats?

Understanding cybersecurity as a strategic risk – not a technical one

António Vasconcelos

Finance leaders know that cybersecurity is a key concern, and one that directly affects an organisation’s critical systems. But instead of viewing it as an isolated technical issue, they should see cybersecurity as a critical aspect of their overall business strategy and success. The first step to crafting an effective incident response plan is helping senior leaders understand that cybersecurity risk is a strategic risk, and gaining their buy-in.

This starts with understanding how cybersecurity relates to the organisation’s mission, objectives, and overall risk management strategy. As an example, framing the approach with the help of Simon Sinek’s Golden Circle model can clarify the incident response process for the entire organisation by answering three questions in this order: Why? How? What?

  1. Why” does the organisation need cybersecurity? For example, to protect the confidentiality, integrity, and availability of the organisation’s sensitive financial data and assets
  2. How” can this be achieved? For instance, by approaching cybersecurity holistically, with a focus on people, processes, and technology
  3.  “What” does this mean for the business? E.g., meeting company mission and objectives, building trust with customers, and protecting stakeholder interests

By treating cyber risk as a strategic risk, financial services organisations can empower their teams to take a proactive approach to incident response, rather than a reactive one. Starting with the “why” of cybersecurity helps leaders set the tone for a security-focused culture within the organisation, emphasising the importance of cybersecurity in all business operations.

Key incident response team roles and responsibilities

A cybersecurity incident response team is typically composed of professionals from different departments within the organisation who collaborate to detect security incidents quickly and effectively. Their main objective is to minimise disruption and damage, thereby safeguarding the organisation’s finances and reputation.

Though incident response teams will look different based on the size and needs of the business, they are typically responsible for the following key tasks:

  • Establishing processes, plans & procedures – Customising processes based on the organisation’s defined objectives and purpose, and identifying what constitutes an incident and its impact. This helps develop incident prioritisation matrices and playbooks for relevant security scenarios and ensures that the incident response plan aligns with the organisation’s overall security strategy, enabling effective preparation and response to security incidents.
  • Maintaining an incident response inventory – Staying informed about current cyber threats and having knowledge of all critical assets within the organisation. Additionally, upkeep of the incident analysis resources, such as network diagrams, contact lists, and application inventory, to ensure the success of incident response efforts.
  • Incident Analysis – Carrying out continuous monitoring for indicators of compromise and data collection activities for analysis purposes. If an active incident is detected, incident response teams decide whether to involve third-party support to contain the threat. The security operations centre (SOC) team has a critical role in this area by identifying incident indicators and promptly responding to the situation, reducing mean-time-to-containment and enhancing response to cyber threats. Also, many financial services organisations have started incorporating AI technology into their security infrastructure in recent times.
  • Communications & Reporting – Adhere to established communication protocols that specify what information must be communicated during and after a security incident, when it should be communicated, and to whom it should be communicated. As per their designated roles, the incident response teams may handle both internal and external communications, with guidance from legal and PR teams. Promptly informing relevant parties such as cyber insurance providers, third-party incident support, legal counsel, and regulatory authorities, when necessary, can prevent financial services organisations from incurring legal and financial liabilities.

An incident response team may have overlapping roles, depending on the size, maturity, and nature of the business, but having clear responsibilities for each role is essential to ensure its effectiveness.

Identify where incident response can be improved

Holding ‘lessons learned’ sessions is another crucial component of an effective incident response plan. It can help leaders evaluate incident response performance – identifying challenges and ways to improve capabilities in the future.

Post-incident activities involve analysing the response process to determine what worked and what didn’t. Preparing a log of incidents allows organisations to track the types of incidents they experience and create a benchmark for measuring response effectiveness. Assessing performance against actionable metrics, such as the time it takes to respond to different types of incidents, allows organisations to evaluate the effectiveness of their response process and identify specific areas for improvement.

Regular training and exercises provide teams a safe environment to practise their response plans, identify gaps in their preparedness, and improve their response effectiveness.


Security operations teams play a critical role in reducing the time-to-containment, but it is crucial for organisations to adopt a holistic approach to incident response. Instead of viewing incident response as solely the responsibility of the IT department, organisations should take a top-down approach, where senior leadership fosters a culture of strong security throughout the organisation. In such a culture, every department is encouraged to do its part in supporting incident response efforts.

By building an incident response plan with senior leadership buy-in, defined roles, and post-incident analysis, finance firms can enhance their ability to respond to incidents promptly and effectively, minimising the impact of security incidents and ensuring they can get back to business, faster.


Explore more