Cyber incident response planning

Ensure that a cyber incident response plan is available and is actual. The plan:

• should include up-to-date contact details (internal and external) and escalation timers
• is reviewed on an annual basis, and tested at least every two years ensuring safe recovery of critical business operations

In addition, a formal backup and recovery plan should exists for all critical business lines. In case of cyber incidents that compromise the confidentiality, integrity or availability of SWIFT services and products, you should:

• Notify the appropriate internal and external stakeholders.
• Involve skilled security professionals to identify and resolve the incident.
• Notify the SWIFT Customer Support Centre promptly after the identification of the problem.
• Notify the involved parties when the incident has been resolved.
• Analyze post-incident problems to identify and remediate vulnerabilities.
• Fully document the incident.

Sharing of threat information may potentially support root cause analysis and sharing of information with the community. Information to be shared is first evaluated to ensure compliance with applicable laws and regulations (for example, privacy of personal data, confidentiality of investigations) and protects against the unintended sharing of sensitive data or data beyond the relevance of the incident.

Any identified incident of FTM SWIFT must be immediately reported to the IBM Product Security Incident Response Team (PSIRT) for further analysis.