Incident and leak response

1) Purpose, principles and scope

The goal: to reduce damage and legal risks, ensure the continuity of operations and the provability of actions in case of security/compliance incidents.

Principles: "quickly contain → accurately confirm → transparently document → lawfully notify → prevent repetition."

Coverage: cyber incidents (DDoS, ATO, hacks, vulnerabilities), PII/payment data leaks, AML/KYC/sanctions violations, provider failures (KYC/PSP), advertising/responsible gaming (RG) incidents, compromised partners.

2) Severity classification and triggers

3) SLA escalations and "incident-bridge"

Initiation: High/Critical creates a war-room (chat/call), assigns an Incident Commander (IC).

SLA: Info — n/a; Low - 24 h; Medium — 4 ч; High - 1 h; Critical - 15 min

Bridge roles: IC, Security Lead, SRE/Ops, Compliance (Deputy IC for Legality), Legal/DPO, Payments/FRM, Support/VIP, PR/Comms, Data/Forensics.

4) Response process (SANS/NIST stack in adaptation)

1. Preparation: runbooks, contact lists, backup providers, test alerts, "default closed" accesses.
2. Identification: SIEM/SOAR correlations, anti-fraud rules, KRI signals; fact/volume confirmation.
3. Containment: segmentation, disabling vulnerable feature/endpoint, geo-constraints, feature-flags, time limits/holds.
4. Elimination (Eradication): patch/key rotation, block of accounts/devices, cleaning of malicious artifacts, reassembly of images.
5. Recovery: integrity validation, gradual inclusion of traffic (canary pools), regression monitoring.
6. Post-Incident: post-mortem ≤72 h, CAPA plan, update policies/thresholds/models.

5) Legal notices and external communications

• Data surveillance (DPA): confirmed PII leak → notification (incident description, data categories, measures, DPO contact).
• Gambling regulator: Massive violations of RG/advertising rules/failures affecting players/reporting.
• Banks/PSP: suspicious activity/SAR cases, massive chargebacks, compromise of payment flow.
• Users: leakage of their data/high risk of harm; letter templates and FAQs.
• Partners/vendors: incidents with them or with us affecting common flows/data.

Comm rules: a single speaker, facts without guesswork, clear actions/recommendations, store all versions of messages and answers.

6) Forensics and the "chain of custody" (Chain of Custody)

Record who/when/what collected; use WORM/non-modifiable storage.
Volume/log snapshots, exporting artifacts via hashing (SHA-256).
Read-only accesses, working through duplicates.
Document all commands/steps; store the timeline.
Agree with Legal/DPO on the conditions for transferring artifacts to third parties.

7) Controlled communications (internal/external)

Do: concise, factual, agreed with IC/Legal; Specify the next update slot (e.g. every 60 minutes).
Don't: hypotheses as facts, PII disclosures, allegations, promises of deadlines unchecked.

• What happened ?/Severity/Area of influence/Measures taken/Next steps/Next update in...

8) Typical domain playbook 'and

A) PII leak (application/backend/vendor)

1. Bridge ≤15 min → freeze suspicious end-points/keys → enable increased auditing of data access.
2. Rate: determine the source/volume/types of PII, time line.
3. Actions: rotation of secrets, fixes, revision of rights, isolation of the vendor.
4. Notifications: DPA/regulator/users/partners (as required).
5. Player support: FAQ, support channel, recommendations (password change/fraud).
6. Post-mortem and CAPA.

B) Compromise of player accounts (ATO/credential stuffing)

1. Spike in ATO signals → amplify rate limit/2FA-enforce/WebAuthn, temporary output blocks.
2. Clustering of devices/IP, sending notifications to those affected, resetting tokens.
3. Check financial transactions, SAR if necessary.

C) Refusal of CUS/sanction provider

1. Switch to fallback provider, limit fast outputs, manual flow for VIP.
2. Comm for support and VIP managers; during tightening - informing the regulator/banks (if it affects the checks).

D) PSP/payment incident (chargebacks/compromise)

1. Enable strict 3DS/AVS, drop limits and velocity rules; hold risk groups.
2. Inform PSP/bank; with signs of laundering - EDD/SAR.
3. Recover and audit rejected traffic.

E) DDoS/unavailability

1. Activate WAF/geo-cutting/scrubbing; "frost" releases.
2. Canary inclusion of regions, SLO control; post-mortem on resilience.

9) Tools and artifacts

SIEM/SOAR, IDS/IPS, WAF, EDR, DLP, secret manager, vault rotations, anti-fraud anomaly detection, incident register, notification templates.
Artifacts: incident register, bridge protocol (timeline), forensics report, notification package (regulator/users/banks), post-mortem, CAPA tracker.

10) Metrics and targets

MTTD (time to detection), MTTC (before containment), MTTR (before recovery).
% of incidents with established root cause ≥ 90%.
CAPA completion rate ≥ 95%.
The proportion of repeated incidents for the same reason ≤ 5%.
The proportion of incidents closed in SLA: Medium ≥ 90%, High ≥ 95%, Critical ≥ 99%.

11) RACI (enlarged)

Incident Commander (Ops/Sec): A for management, decision making, timeline.
Security Lead (R): tech. analysis, forensics, containment/eradication.
Compliance/DPO (R/A for legality): leak qualification, notifications, mailing list.
Legal (C): legal evaluation, contracts/contracts, wording of letters.
SRE/Engineering (R): fixes, pullbacks, stability.
Payments/FRM (R): holds, anti-fraud threshold, interaction with PSP/banks.
PR/Comms (R): external messages, Q&A for support.
Support/VIP (I/C): front of communication with players.

12) Templates (minimum set)

12. 1 Incident card (register)

ID· Time of discovery· Class/severity· Affected (systems/data/jurisdictions)· IC· Owner of tech/business· First measures· Volume/damage assessment· Notifications (to/when)· Links to artifacts· Status/CAPA/deadlines.

12. 2 Notification to users (squeeze)

What happened; what data may have been affected; what we did; what we recommend to you; contact information; policy reference/FAQ.

12. 3 Post-mortem (structure)

Facts/Timeline· Impact· Root Cause (5 Whys)· What worked/didn't work· CAPA (owner/deadline)· Effectiveness check after N weeks.

13) Integration with operations and compliance

CAB/Change: dangerous changes - only through feature flags/canaries; each release has a rollback plan.
Data and reporting: automatic assembly of dashboards of incidents; communication with KRIs (sanctions/PEP, KYC, CBR, ATO).
Risks: update of the risk matrix and register, calibration of thresholds after each major incident.

14) Exercises and readiness

Tabletop once a quarter (PII leak, KYC failure, ATO wave, PSP incident).
Red/Blue/Purple-team checks; joint exercises with vendors and PSP.
Readiness KPI: percentage of employees who completed the training; the success of the exercise; average "bridge lift" time.

15) Implementation Roadmap

1-2 weeks: updating roles/contacts, templates, backup providers.
3-4 weeks: SOAR playbooks, bridge channels, test notifications, WORM archive.
Month 2 +: regular exercises, audit logs, automation of incident reporting.

TL; DR

Readiness = pre-agreed roles and thresholds + fast bridge + hard containment + legal and timely notifications + forensics with chain of evidence + mandatory post mortems and CAPAs. This minimizes damage, reduces penalty risks and strengthens the confidence of players and partners.