Nacha's security-breach guidance an essential tool

To expand on an item posted in Quick Takes under Breaking News on Fri., May 31, 2024, Nacha, which governs the ACH network, the payment system that drives direct deposits and direct payments and reaches all U.S. bank and credit union accounts, introduced a free tool to help companies deal with security incidents and breaches.

The security incident response procedure guide for companies is the work of Nacha's Payments Innovation Alliance, a membership program that brings together a diverse group of stakeholders focused on transforming the payments industry.

The tool is available for free and provides procedures and actions a company should take when it reasonably suspects a security incident or breach involving personal or other proprietary data.

The guide can help evaluate suspected incidents or breaches on a case-by-case basis. For example, it can help in determining whether and what notifications are necessary—to customers, regulators, the card brands, the media and/or consumer reporting agencies.

Planning is the key

"Time is of the essence when responding to a suspected incident or breach," said Matt Luzadder, managing partner in the Chicago office of Kelley Drye & Warren LLP. The guide offers suggested actions to help plan for, triage and respond to cyber incidents quickly, and thus minimize potential harm to all involved.

"Planning for potential incidents is key and the guide can serve as a starting point for security discussions within an organization," Luzadder said in a statement released by Nacha. Of course, all organizations are different, so plans should be customized, working with information technology, compliance and legal experts, he added.

The onus of data protection and for breach recovery is on companies that maintain that data. "Companies should have comprehensive disaster recovery and incident response plans in place, conduct periodic employee training and testing, audit and review their systems appropriately and employ threat detection and response technologies," Luzadder said.

The guide, he noted, "can serve as an important resource in developing these risk-reduction strategies." It can also be used in concert with other Alliance resources, such as a "tabletop exercise," which it released last year.

The tabletop exercise was developed to increase organizational preparedness, response and recovery efforts related to cyberattacks and provide actionable approaches for leadership, among other things. It also establishes a framework for compliance by focusing on applicable laws, regulations and rules.

Notice to readers: These are archived articles. Contact information, links and other details may be out of date. We regret any inconvenience.