3.4. Capability development (individual and shared)
Recommendation 14. Maintain response capabilities which support CIR
FIs should continuously identify and address any gaps in their cyber incident response capabilities which directly support CIR, including incident detection, assessment and training on a continuous basis.
To encourage preparation around incident detection and reporting, FIs should consider adopting effective practices, such as those outlined in the FSB's toolkit of Effective Practices for Cyber Incident Response and Recovery (see Box 5) [FSB (2020).]. In many cases, the FSB toolkit recognises that certain specialised incident response and reporting capabilities may not always be retained in- house, particularly for smaller institutions, and can be obtained from third-parties or affiliated organisations. In particular, vendors or external consultants can help with technology solutions, security monitoring, forensic capabilities and trusted information resources to provide additional capabilities to a FI prior to an incident, and can be rapidly escalated in the response to more complex incidents. Because incidents can manifest because of third-party relationships, FIs should evaluate the need, and ability, to obtain relevant information from third-party providers for a relevant incident report (e.g. through contracts or service-level agreements.) Where appropriate, FIs should encourage their third-party providers to share incident information that impact their provided services. This would facilitate FIs' early assessment of the cyber incidents, as well as response and recovery activities.
Box 5: Relevant practices from the FSB CIRR Toolkit