Cybersecurity Incident Response Checklist

Pull the written incident response program required under the SEC Reg S-P amendments and confirm the on-call list, CCO, COO, IT lead, outside counsel, and forensics vendor are reachable. A stale contact tree is the most common reason a real incident loses its first six hours.

Pull alert details from the SIEM (Arctic Wolf, Huntress, CrowdStrike, Sentinel) and confirm whether this is a true positive. Capture the initial detection timestamp — Reg S-P's 30-day customer notice clock starts when the firm has reasonable basis to conclude unauthorized access occurred.

Severity drives escalation, regulator engagement, and disclosure obligations. Critical = active exfiltration, ransomware, or wire fraud in progress; High = unauthorized access confirmed; Medium = suspected access, no exfil; Low = isolated phishing or malware contained at endpoint.

Use the EDR console (CrowdStrike, SentinelOne, Defender) to network-isolate affected hosts rather than powering them down — power-off destroys volatile memory needed for forensics. Document the isolation action and timestamp in the incident log.

Disable user accounts in Entra ID / Okta, revoke active sessions and refresh tokens, and rotate any service-account or API keys that touched the compromised host. For advisor accounts, also revoke custodian portal access (Schwab Advisor Center, Fidelity Wealthscape) until identity is reverified.

Retain forensics (Mandiant, Kroll, Arete, CrowdStrike Services, Tetra Defense) through outside counsel under a Kovel-style engagement letter. The vendor's scoping report drives root cause, IOCs, and the regulator-facing narrative.

Reimage rather than clean — adversaries leave persistence mechanisms that AV scans miss. Patch the entry vector (unpatched VPN, exposed RDP, vendor compromise) and confirm MFA is enforced on every external-facing service before bringing systems back online.

Submit the formal claim notice in writing within the policy's notification window (commonly 24-72 hours from discovery). Include the incident timeline, severity, panel vendors engaged, and preliminary impact estimate. Late notice is the most common coverage denial reason.

Schwab, Fidelity, Pershing, and Altruist each have a written incident notification protocol for advisor breaches. Notify their fraud / cybersecurity desk so they can apply enhanced verification on wires and ACATS originating from your firm during the response window.

Per FinCEN's October 2016 advisory, cyber events affecting financial accounts are SAR-reportable even without a confirmed dollar loss. Filing deadline is 30 days from initial detection of suspicion. Reference the IP addresses, malware names, and IOCs in the narrative — FinCEN's typology team uses them.

The 2024 Reg S-P amendments require customer notice within 30 days of determining sensitive customer information was, or is reasonably likely to have been, accessed without authorization. Notice must describe the incident, the data involved, and the firm's response — coordinate with outside counsel on language and with the CRM team on per-client delivery and acknowledgment retention.

Restore from offline immutable backups taken before the earliest known compromise timestamp — never from a backup whose creation overlaps the dwell-time window. Monitor the restored estate at heightened EDR sensitivity for the next 14 days for residual IOCs.

Walk the timeline minute-by-minute with the CCO, COO, IT lead, forensics, and outside counsel. Identify what the SIEM caught vs. missed, where the contact tree slowed response, and which custodian / vendor coordination steps were ad hoc. Capture findings in writing — SEC exam staff will ask for the post-incident review.