When a security incident occurs in a financial institution, one of the first and most critical steps is categorization. The speed and accuracy of incident classification determine how resources are deployed, which stakeholders are engaged, and how quickly operations can be restored. To bring structure to this process, most incident response plans use risk severity levels—commonly Low, Medium, High, and Critical.
But severity is more than just a label. It’s a balance of two key factors:
- Impact: How damaging the incident could be to confidentiality, integrity, or availability of systems and data.
- Likelihood: How probable it is that the threat will materialize or escalate.
Let’s break down each severity level with a lens that a financial institution can adopt as a standard in their incident response framework.
Low Severity
- Impact: Minimal impact to systems, customers, or business operations. No regulatory implications. Data may remain unaffected or limited to non-sensitive internal information.
- Likelihood: Low likelihood of escalation or exploitation.
- Examples:
- A phishing email caught by a spam filter before reaching users.
- A misconfigured internal setting that doesn’t affect critical systems.
- Response: Routine handling by the security operations team; usually resolved without escalation.
Medium Severity
- Impact: Noticeable disruption but limited in scope. Some sensitive information could be exposed, or minor compliance obligations may be triggered. Business functions may be partially impacted but remain operational.
- Likelihood: Possible to escalate if not contained quickly.
- Examples:
- Malware detected on an employee workstation, but no evidence of lateral movement.
- Unauthorized but unsuccessful attempts to access customer data.
- Response: Timely investigation, mitigation steps, and monitoring to ensure the incident does not evolve into something larger. May require coordination with compliance teams.
High Severity
- Impact: Significant operational disruption or data exposure. Regulatory, financial, and reputational damage is probable. Critical business services (such as transaction processing or online banking) may be impaired.
- Likelihood: High likelihood of escalation if response is delayed. Attackers may already be exploiting vulnerabilities.
- Examples:
- Confirmed exfiltration of sensitive customer data.
- Distributed denial-of-service (DDoS) attack impacting online banking availability.
- Response: Immediate containment and escalation to senior management. Incident response team and legal/compliance units must be engaged. Potentially reportable to regulators.
Critical Severity
- Impact: Severe, enterprise-wide consequences. Large-scale data breach, system outage, or fraud event that directly affects customers, market confidence, or financial stability. Regulatory penalties and reputational harm are almost certain.
- Likelihood: Extremely high—the threat is active, pervasive, and rapidly evolving.
- Examples:
- Compromise of core banking systems.
- Ransomware attack that encrypts or threatens public release of sensitive customer data.
- Response: Full-scale crisis management. Executive leadership, regulators, law enforcement, and potentially public communications must be engaged. Recovery and remediation may span weeks to months.
Building a Standardized Framework
By defining severity levels with clear impact and likelihood criteria, financial institutions can:
- Improve consistency in incident handling across teams.
- Accelerate decision-making during high-stress events.
- Align responses with regulatory expectations.
- Ensure resources are prioritized where risk is greatest.
Severity classifications should also be tested and refined during tabletop exercises. This ensures that when the next real incident happens, the company isn’t debating severity—it’s acting decisively.
If you are looking for ways to improve your Incident Response Plan or other aspects of your Information Security program, contact us to learn about how our expert team of vCISOs can help.