Cybersecurity Incident Response Checklist

Pull the written incident response program required under the SEC Reg S-P amendments and confirm the on-call list, CCO, COO, IT lead, outside counsel, and forensics vendor are reachable. A stale contact tree is the most common reason a real incident loses its first six hours.

Most cyber policies (Beazley, Chubb, Coalition, AIG, Travelers) require notification within 24-72 hours and panel-vendor use to preserve coverage. Engaging counsel and forensics outside the panel can void the policy — call the hotline before retaining anyone.

Pull alert details from the SIEM (Arctic Wolf, Huntress, CrowdStrike, Sentinel) and confirm whether this is a true positive. Capture the initial detection timestamp — Reg S-P's 30-day customer notice clock starts when the firm has reasonable basis to conclude unauthorized access occurred.

Severity drives escalation, regulator engagement, and disclosure obligations. Critical = active exfiltration, ransomware, or wire fraud in progress; High = unauthorized access confirmed; Medium = suspected access, no exfil; Low = isolated phishing or malware contained at endpoint.

Non-public personal information under GLBA includes SSN, account numbers, balances, DOB, and any combination of name plus financial identifier. NPI exposure triggers Reg S-P customer notification, state breach laws, and likely a SAR. Document the basis for the conclusion either way — a hasty "No" that turns into a "Yes" later is worse than a careful "Unknown."

Use the EDR console (CrowdStrike, SentinelOne, Defender) to network-isolate affected hosts rather than powering them down — power-off destroys volatile memory needed for forensics. Document the isolation action and timestamp in the incident log.

Disable user accounts in Entra ID / Okta, revoke active sessions and refresh tokens, and rotate any service-account or API keys that touched the compromised host. For advisor accounts, also revoke custodian portal access (Schwab Advisor Center, Fidelity Wealthscape) until identity is reverified.

Capture memory and disk images before remediation; pull EDR telemetry, email archive (Smarsh, Global Relay), and authentication logs covering at minimum 90 days back. Hand off to panel forensics under counsel privilege so the resulting report is shielded from discovery.

Retain forensics (Mandiant, Kroll, Arete, CrowdStrike Services, Tetra Defense) through outside counsel under a Kovel-style engagement letter. The vendor's scoping report drives root cause, IOCs, and the regulator-facing narrative.

Reimage rather than clean — adversaries leave persistence mechanisms that AV scans miss. Patch the entry vector (unpatched VPN, exposed RDP, vendor compromise) and confirm MFA is enforced on every external-facing service before bringing systems back online.

Sweep the full estate for the indicators of compromise the forensics vendor produced — file hashes, C2 domains, persistence registry keys, scheduled tasks. A clean sweep is the precondition for restoring production access.

Submit the formal claim notice in writing within the policy's notification window (commonly 24-72 hours from discovery). Include the incident timeline, severity, panel vendors engaged, and preliminary impact estimate. Late notice is the most common coverage denial reason.

Schwab, Fidelity, Pershing, and Altruist each have a written incident notification protocol for advisor breaches. Notify their fraud / cybersecurity desk so they can apply enhanced verification on wires and ACATS originating from your firm during the response window.

Per FinCEN's October 2016 advisory, cyber events affecting financial accounts are SAR-reportable even without a confirmed dollar loss. Filing deadline is 30 days from initial detection of suspicion. Reference the IP addresses, malware names, and IOCs in the narrative — FinCEN's typology team uses them.

The 2024 Reg S-P amendments require customer notice within 30 days of determining sensitive customer information was, or is reasonably likely to have been, accessed without authorization. Notice must describe the incident, the data involved, and the firm's response — coordinate with outside counsel on language and with the CRM team on per-client delivery and acknowledgment retention.

Every state has its own breach notification statute with its own thresholds and timing — California, New York, and Massachusetts trigger fastest and have the most prescriptive content requirements. Build the AG list from where affected clients reside, not where the firm is registered.

Restore from offline immutable backups taken before the earliest known compromise timestamp — never from a backup whose creation overlaps the dwell-time window. Monitor the restored estate at heightened EDR sensitivity for the next 14 days for residual IOCs.

Walk the timeline minute-by-minute with the CCO, COO, IT lead, forensics, and outside counsel. Identify what the SIEM caught vs. missed, where the contact tree slowed response, and which custodian / vendor coordination steps were ad hoc. Capture findings in writing — SEC exam staff will ask for the post-incident review.

Revise the written incident response program to close the gaps surfaced in review, version the document, and record CCO sign-off. The annual Reg S-P / Safeguards Rule review will reference this update.