🛡️ Add intrusion containment procedures

[JFWooten4]

Creates containment and control procedures for Regulation S-P incident response under 17 CFR § 248.30, Subsection (a)(3)(ii). The procedures should define how BlockTransfer takes appropriate steps to contain and control incidents involving unauthorized access to or use of customer information, prevent further unauthorized access or use, and coordinate containment decisions with assessment, recovery, service-provider escalation, and customer-notification workstreams.

Recordkeeping implementation is out of scope for this PR and should be handled separately under the transfer-agent recordkeeping issue.

Regulatory basis

Subsection (a)(3): response program

Written policies and procedures in paragraph (a)(1) of this section must include a program reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information, including customer notification procedures.

Subsection (a)(3)(i): assessment procedures

Assess the nature and scope of any incident involving unauthorized access to or use of customer information and identify the customer information systems and types of customer information that may have been accessed or used without authorization;

Subsection (a)(3)(ii): containment and control procedures

Take appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information; and

Subsection (a)(5)(i): service-provider oversight

A covered institution's response program prepared in accordance with paragraph (a)(3) of this section must include the establishment, maintenance, and enforcement of written policies and procedures reasonably designed to require oversight, including through due diligence and monitoring, of service providers, including to ensure that the covered institution notifies affected individuals as set forth in paragraph (a)(4) of this section.

Subsection (a)(5)(i)(B): service-provider breach notice

Provide notification to the covered institution as soon as possible, but no later than 72 hours after becoming aware that a breach in security has occurred resulting in unauthorized access to a customer information system maintained by the service provider. Upon receipt of such notification, the covered institution must initiate its incident response program adopted pursuant to paragraph (a)(3) of this section.

Subsection (d)(6): customer information systems

Customer information systems means the information resources owned or used by a covered institution, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of customer information to maintain or support the covered institution's operations.

Changes to be made

• Create written containment and control procedures for incidents involving unauthorized access to or use of customer information.
• Define immediate containment steps, including account lockout, credential rotation, access revocation, system isolation, and service-provider escalation.
• Define how BlockTransfer identifies and protects affected customer information systems during containment.
• Define how containment decisions are coordinated with incident assessment, recovery, legal review, and customer-notification decision-making.
• Add procedures for preserving relevant evidence while preventing further unauthorized access or use.
• Add service-provider containment escalation procedures, including the 72-hour provider breach notice requirement.
• Define internal roles responsible for containment decisions, technical response, vendor coordination, and executive escalation.
• Cross-reference the separate assessment procedure, customer notice procedure, service-provider oversight, and transfer-agent recordkeeping workstreams.

[JFWooten4]

#29 should be Subsection (d)(6)