Incident Response Planning for Small Businesses
How to create an incident response plan that meets NY DFS requirements without enterprise complexity.
Section 500.16 requires covered entities to establish a written incident response plan. For small businesses, this doesn't mean creating a 100-page document—it means having a practical, actionable plan your team can actually follow when something goes wrong.
72-Hour Notification Requirement
Under Section 500.17, you must notify NY DFS within 72 hours of determining that a reportable cybersecurity event has occurred. Your incident response plan should account for this tight timeline.
What Section 500.16 Requires
Your incident response plan must address:
- Internal processes for responding to cybersecurity events
- Goals of the incident response plan
- Roles, responsibilities, and levels of decision-making authority
- External and internal communications and information sharing
- Identification of requirements for remediation
- Documentation and reporting of incidents
- Evaluation and revision of the plan following incidents
Building Your Incident Response Plan
1. Define Your Incident Response Team
Even in a small business, you need clear roles. At minimum:
- Incident Commander: Makes decisions and coordinates response (often the owner or CISO)
- Technical Lead: Handles technical investigation and containment
- Communications Lead: Manages internal and external communications
2. Establish Incident Categories
Not all incidents require the same response. Define categories:
Active ransomware, data breach with confirmed exfiltration, system-wide compromise
Malware infection, unauthorized access to sensitive systems, phishing with credential compromise
Suspicious activity, failed breach attempt, policy violation
Minor policy violations, spam, non-targeted threats
3. Create Response Procedures
For each incident category, document:
- Detection & Analysis: How do we identify and confirm the incident?
- Containment: How do we stop the incident from spreading?
- Eradication: How do we remove the threat?
- Recovery: How do we restore normal operations?
- Post-Incident: How do we learn from the incident?
4. Define Communication Procedures
Your plan should include:
- Internal notification: Who gets notified and how (phone tree, email, text)
- Customer notification: When and how to notify affected customers
- Regulatory notification: NY DFS, and potentially other regulators
- Law enforcement: When to involve police or FBI
5. Document External Resources
Include contact information for:
- Incident response consultants or managed security provider
- Cyber insurance carrier (claims hotline)
- Legal counsel with cybersecurity experience
- NY DFS reporting portal and phone number
NY DFS Notification Timeline
Detect, contain, and determine if the event is "reportable"
If reportable, notify NY DFS through the portal
Continue investigation and remediation
Submit final report with root cause and remediation
Testing Your Plan
An untested plan is just a document. Test your plan by:
- Tabletop exercises: Walk through scenarios with your team
- Communication tests: Verify contact information works
- Annual reviews: Update the plan as your business changes
Buffalo Sentinel Incident Response Support
Our platform includes incident response plan templates, tabletop exercise scenarios, and integration with our vCISO service for hands-on incident response support when you need it.
Need Help Building Your IR Plan?
Get started with our incident response plan template, designed specifically for small businesses.
Start Free Trial