Incident management (Principle 6)
Principle 6: Banks should develop and implement response and recovery plans to manage incidents [Incidents are current or past disruptive events the occurrence of which would have an adverse effect on critical operations of the bank. Incident management is the process of identifying, analysing, rectifying and learning from an incident and preventing recurrences or mitigating the severity thereof. The goal of incident management is to limit the disruption and restore critical operations in line with the bank's risk tolerance for disruption. See the Financial Stability Board's Effective Practices for Cyber Incident Response and Recovery, October 2020, as an example of detailed response and recovery practices.] that could disrupt the delivery of critical operations in line with the bank's risk appetite and tolerance for disruption. Banks should continuously improve their incident response and recovery plans by incorporating the lessons learned from previous incidents.
33. Banks should maintain an inventory of incident response and recovery, internal and third-party resources to support the bank's response and recovery capabilities.
34. The scope of incident management should capture the life cycle of an incident, [Recognising that the life cycle on an incident could span multiple measures of time that could range from hours to weeks to months.] typically including, but not limited to:
a) the classification of an incident's severity based on predefined criteria (eg expected time to return to business as usual), enabling proper prioritisation of and assignment of resources to respond to an incident.