Guidelines on Incident Response Cost Coverage


Costs for cyber-security incidents incurred by schools or centers can be covered by central funding according to the guidelines below.  The guidelines fall into three major categories: report incidents quickly, implement protections and respond effectively.  Each category has a different impact on costs as follows:

  • Report Incidents Quickly: If incidents are reported to the Office of Information Security quickly, up to the first $50,000 of incident costs can be covered
  • Implement Protections: After the first $50,000, costs not covered by insurance will be covered proportionally to the number of listed protections that were implemented.  That is, if half the protections are implemented, half the uninsured losses will be covered.
  • Respond Effectively: For the cost coverage in the previous two categories to apply, response efforts must be open and collaborative

Schools and Centers should report known or suspected High Severity Incidents to OIS as soon as possible. 

Costs will be covered as follows:

  • If incidents are reported to the Office of Information Security within the first 24 hours after the school or center knows or should have known that the incident is severe, up to the first $50,000 of incident costs can be covered.  This provides an incentive for all incidents to be disclosed, regardless of other security controls in place.
  • Incidents initially discovered by OIS, or reported to OIS by a party other than the affected school or center will be treated as being reported within the first 24 hours of their discovery unless the school or center knew or should have known about the incident and failed to report it.

For the purposes of this guideline, an incident is a High Severity Incident if it meets any of the criteria below:

  • Is likely to affect the confidentiality of High sensitivity data
  • Is likely to affect the availability of systems registered in Critical Components (or that meet the criteria for registration)
  • Where an interactive human attacker gains control of a Penn device or account and takes additional actions (e.g., takes over a user account and attempts to escalate privileges or install hacking tools, as opposed to a simple antivirus detection)
  • Where ten or more accounts are compromised or where a VIP’s account is compromised
  • Where one thousand or more dollars is likely to be lost
  • Where fifty or more hours of Penn staff time is likely to be used in response
  • Involves material issues related to research misconduct, the Office of Audit Compliance and Privacy, an Institutional Review Board, or the Office of General Council
  • Where a material incident that does not otherwise meet these criteria involves assistance or action by the Department of Public Safety or other law enforcement
  • There is a significant risk of media attention or other publicity

To qualify as reporting the High Severity Incident, the report must meet the following criteria:

  • The communication to OIS must specify that the incident is a High Severity Incident (as opposed to an incident of unknown severity or an incident that falls below the High Severity Incident designation)
  • The reason the incident qualifies as a High Severity Incident must be conveyed
  • Other incidents reported to OIS must not show a trend of intentional false positive reporting of High Severity Incidents (i.e., reporting all incidents and potential incidents as high severity in order to avoid missing an actual High Severity incident that does not meet this guideline)
  • The incident must be reported in one of the following ways:
    • An email to
    • A phone call to the OIS on-call number: 215-898-2172
    • Outreach to the University CISO over email, chat or telephone with confirmation that the message was received (Nick Falcone's Mobile number is listed in Penn Directory)
    • Outreach to the Security Point of Contact (SPOC) for the School or Center or to the OIS Security Operations Center with confirmation that the message was received.

To incentivize adopting key, centrally funded security tools or locally selected equivalents, uninsured costs incurred after the first $50,000 will be covered proportionally based on the degree to which the applicable criteria below are met.

  • Inventory
    • Critical Components Registration: Affected systems were registered in critical components.
    • V-STAR: Affected vendors were reviewed with an effective V-STAR security questionnaire and assessed to be low risk.
    • SPIA: Affected systems and data were accurately and thoroughly described in SPIA.
  • Protection
    • Patches and Vulnerabilities: Affected systems were scanned and had high and critical security patches installed and high or critical vulnerabilities closed within thirty days of release or detection. Risk accepted vulnerabilities that are not false positives are not considered as “closed” for this criteria.
    • System Management: Affected servers and endpoints had their configurations centrally managed by a school or center level IT department, for example using BigFix or JAMF.
    • Encryption: Impacted data was encrypted at rest.
  • Authentication
    • Two-Step Verification for Remote Access: Two-Step Verification was required to remotely access affected systems.
    • Admin Two-Step Verification: Affected systems required Two-Step Verification for administrator-level access.
  • Visibility
    • Logging: Affected systems were configured to export security-relevant logs to a central logging and monitoring solution, for example, Splunk.
    • Endpoint Detection and Response: Affected systems were using an Endpoint Detection and Response tool, such as CrowdStrike, in “prevent” mode.
  • Recovery
    • Backups: Backups for impacted systems and data were immutable, such that they could not be deleted even by an authorized administrator, or all administrator access to the backup system was protected by two-factor authentication.
    • Tabletop Exercise: The relevant organization participated in the most recent annual MCP tabletop exercise.

To qualify for the funding described under Quickly Report Incidents and Implement Protections, the incident response effort by the school or center must be undertaken effectively.  To this end, the school or center must share relevant information about the incident and affected systems promptly and openly with the Office of Information Security and any third parties assisting in incident response, and reasonable recommendations of the Office of Information Security must be followed.

Scope of Coverage

Because incidents driven by cyber-attack are difficult to fully prevent even when well prepared for, this guideline and the funding it describes is intended to cover information security incidents that arise from intrusions into Penn systems (i.e., hacking incidents).  This guideline is not intended to cover costs that arise from other kinds of cybersecurity incidents that follow more predictable patterns, such as:

  • Lost or stolen devices
  • Business email compromise (i.e., use of email, including compromised Penn email accounts, to cause funds to be sent to an attacker-controlled account)
  • Cybersecurity incidents that are confined to vendor managed systems that impact Penn data where Penn systems other than credentials are not compromised by a cyber incident
  • Social engineering absent compromise of systems other than credential theft (i.e., use of deception to obtain unauthorized data or access)

Similarly, this guideline is intended to cover only hard costs incurred directly due to incidents and incident response, for example, incident response consultants and staff augmentation, notification letters and credit monitoring for impacted individuals, ransoms, replacements for destroyed devices, and/or outside legal counsel.  This guideline is not intended to cover soft costs or downstream losses driven by incidents, for example, staff time, business disruption losses or lost revenue, hardware upgrades, new security tools implemented in response to incidents, or damage to reputation.

Assessment of Guideline Compliance

Incidents, by their nature, involve unexpected outcomes and will generally not fit neatly into any pre-established criteria.  Therefore, there will be a need for independent evaluation and judgment when determining how these guidelines should be applied after any given incident.  The Senior Incident Response Team (composed of the General Counsel, the Vice President, Audit, Compliance and Privacy, The University Chief Information Officer, and the Associate Vice President, University Communications) and the Vice President of Budget, Planning, and Analysis are tasked with making this assessment, while the University Chief Information Security Officer is tasked with collecting and presenting a summary of the incident and the relevant factors so this determination can be made.

Updates to these Guidelines

These guidelines will be reviewed at least annually by the Office of Information Security.  When updated, if the new version of the guidelines includes changes to the Implement Protections section, the new version will generally be published at least one fiscal year ahead of the effective date of the new guidelines.