balanceWORKS

Security

Incident Response Plan

Purpose

This Incident Response Plan describes Berkshire Associates LLC’s ("Berkshire" or the "Firm") response and recovery procedures in the event of a cybersecurity incident. Due to the unforeseeable nature of the circumstances surrounding an incident, the Firm’s response strategy may differ during an actual incident. While this Plan is intended to streamline the response process, it cannot provide guidance for every given incident. As such, the Firm will use this document as guidance when responding to incidents, but may use an alternative approach if the appropriate response to an incident has not been accounted for in this Plan.

For the purposes of this Incident Response Plan, an "incident" means any act that causes, or could potentially cause, the confidentiality, integrity, or availability of a system or the data a system processes, stores, or transmits to be compromised.

Information Security team

The Information Security Team will be responsible for activating this Plan and leading investigations of reported incidents. Once this Plan has been activated, the Information Security Team will take the steps deemed necessary to contain, mitigate, and resolve an incident. The Firm may consult and work with third-party service providers during an incident as deemed necessary.

Berkshire’s IT Department will be contacted to provide assistance as needed during incidents. Berkshire’s IT Department typically provides day-to-day support and is suited to understand the technical requirements and processes necessary to resolve a security incident.

Employee Responsibilities

Berkshire’s employees are responsible for meeting the following requirements under this Incident Response Plan:

  1. Immediately reporting incidents to the Information Security Team and being available to assist the Information Security Team, if additional information is needed. If the Information Security Team is not available, employees should contact the Firm’s IT Provider.
  2. Ensuring they have read and understand the procedures outlined throughout this Incident Response Plan. While the Information Security Team is primarily responsible for handling the Firm’s response and recovery procedures, all employees are responsible for incident awareness and should familiarize themselves with this Incident Response Plan in case their assistance is needed.
  3. Attending the Firm’s cybersecurity training sessions or taking online cybersecurity training courses. The training will educate employees on the common intrusion techniques used by hackers to execute cyber-attacks, how to identify red flags, and how to report an incident or any suspicious activity.

Incident Response Phases

As a general guide for responding to incidents, Berkshire’s Incident Response Plan is made up of a series of phases that should collectively aid in ensuring threats are responded to appropriately. While these steps need not be sequential, each is important for safeguarding the Firm’s assets.

Phase 1 | Detection & Analysis
A preliminary analysis of any incidents reported should be led by the Information Security Team, in conjunction with the Firm’s IT Provider, to determine the validity of the incident and whether this Incident Response Plan needs to be activated. If this Incident Response Plan is activated, the Information Security Team should log the steps taken throughout their investigation in the Incident Response Report

Identification
The Information Security Team should identify the source of the incident, the assets affected, and the resulting damage.

Prioritization
In cases where multiple incidents occur simultaneously, incidents should be prioritized based on their severity and impact. Certain incidents can cause more damage than others and should be addressed in order of impact. The Information Security Team can identify priority levels by evaluating the following:

  1. Functional Impact - Incidents may inhibit the Firm’s ability to continue business operations. When assessing the functional impact of an incident, the immediate functional impact and future functional impact, if the incident is not remediated, should be considered.
  2. Information Impact - Incidents may impact the confidentiality, integrity, and availability of the Firm’s data. The type of data affected and the resulting consequences should be considered.
  3. Recoverability Impact - The level of effort and amount of resources, in both time and money, needed to recover from an incident should be considered to facilitate response efforts.

Notification
The Information Security Team should create a communication plan with Berkshire’s IT Management to determine with whom, what information, and how they will communicate the details of an incident to the Firm’s service providers, clients/investors, regulators, and other third parties. Who needs to be notified and the level of detail that should be disclosed will vary depending on Berkshire’s legal and regulatory obligations, the individuals affected by the incident, and the resources needed to assist with response efforts.

  1. Approval - Any information regarding an incident will only be released to third parties (i.e., service providers, clients/investors, regulators, the media, etc.) upon Berkshire’s IT Management’s approval.
  2. Communications Designee - Regular status updates may need to be provided to the appropriate parties. As such, the Information Security Team may designate an individual or group of individuals to lead the communication process on behalf of the Firm during this time.
  3. Law Enforcement - If, during the course of the investigation, it has been determined that criminal activity has occurred, the Firm may need to notify the appropriate law enforcement agency. Berkshire’s IT Director must pre-approve any communications with law enforcement.

    Although some instances may require immediate disclosure of a breach, Berkshire’s Information Security Team shall consult with legal counsel regarding the federal, state, and regulatory mandates for notifying affected parties of a breach within the required timeframes.
  4. Employee Guidance - It is impractical to provide a "one-size-fits-all" procedure for incidents as the actual response steps taken during an incident can vary widely depending on the nature and severity of the incident. In an effort to provide guidance to the extent possible, Berkshire has established the below procedures for employees to use as guidance when faced with specific (or suspected) types of incidents. For any incidents not mentioned below such as, but not limited to, a slow or delayed computer, virus outbreak, account or password compromise, or notification of a breach by a third-party or other employee, employees must immediately notify the Information Security Team.

Phase 2 | Containment, Eradication, & Recovery
During this phase, the goal is to lessen the damage being caused by the incident, remove the source of the incident, and recover within a reasonable time.

Preserving Evidence
The Information Security Team may need to gather evidence for investigation or legal purposes. It is possible for evidence to be altered, deleted, or overwritten so the Information Security Team should ensure evidence is collected and preserved as soon as the incident is reported. If there is time and bandwidth available to preserve system logs, firewall logs, or other pertinent data, efforts should be made to preserve evidence. The Firm may need to conduct a forensic analysis to identify and document key information.

Containment
Containment is critical to limiting the loss of or damage to resources, systems, and data. Containment strategies are dependent on understanding the Firm’s IT infrastructure and making the best use of the infrastructure. Therefore, the Information Security Team should work with their IT Provider or any other IT resources to develop an effective containment strategy. How long recovery efforts will take, the damage or potential damage that the Firm will incur, and the resources needed should be considered when developing the strategy. Examples include, but are not limited to:

  • Terminating inbound or outbound traffic from the infected systems
  • Powering or shutting down the infected systems
  • Disabling system functions
  • Failing over to backup systems
  • Modifying or blocking firewall policies
  • Activating the Business Continuity Plan (BCP)

Eradication & Recovery
Once an incident is contained, the Information Security Team must ensure there are no infections left in the Firm’s systems and all components of the incident have been eliminated. In some instances, eradication and recovery can occur simultaneously. Examples include, but are not limited to:

Containment
Containment is critical to limiting the loss of or damage to resources, systems, and data. Containment strategies are dependent on understanding the Firm’s IT infrastructure and making the best use of the infrastructure. Therefore, the Information Security Team should work with their IT Provider or any other IT resources to develop an effective containment strategy. How long recovery efforts will take, the damage or potential damage that the Firm will incur, and the resources needed should be considered when developing the strategy. Examples include, but are not limited to:

  • Removing malicious code or viruses
  • Disabling or resetting passwords on compromised accounts
  • Tightening access rights
  • Shutting down and restarting systems
  • Reinstalling the operating system and/or applications
  • Restoring systems from backups that were not affected by the incident
  • Conducting vulnerability scans on the affected systems
  • Updating or installing patches on affected systems
  • Tightening network security settings
  • Tightening monitoring and logging settings
  • Reconfiguring software and hardware settings
Normal operations can resume once the Information Security Team confirms a return to full functionality. After twenty-four (24) hours of full functionality, an "Event All Clear" state may be announced.

Phase 3 | Post-Incident Analysis
Using the information collected during an incident, the Information Security Team shall conduct an analysis to identify trends or patterns from an incident, whether similar attacks have occurred in the past, or potential new threats. The analysis shall include a "lessons learned" meeting to determine whether improvements need to be made to the Firm’s security practices and/or incident handling process.

The Incident Response Report shall be finalized to evidence all related information, determination of cause, resulting actions, and the steps taken to remediate an incident. The Incident Response Report shall be saved with any supporting evidence or pertinent information from an incident.

Date Version Summary of Changes
08/14/2020 1.12 Annual Policy Review, removed references to VP of PD and BD, clarified reference to timeframe for notification from 24 business hours to 1 business day.
08/06/2021 1.13 Annual Policy Review, updated distribution section to clarify all staff receives and is trained on policy.
08/01/2022 1.14 Annual Policy Review.
08/01/2023 1.15 Annual Policy Review. Minor update on overview.
07/24/2024 1.16 Annual Policy Review. Minor update on distribution of policy.
07/24/2025 2.0 Revised Policy. Updates to form and procedures.

Need more help?

If you are unable to find the answer to your questions or simply wish to speak to a support representative, email Product Support or give us a call at +1(800).882.8904.