Incident Response Plan

Document ID: IRP-001 | Version: 1.0 | Effective: January 2026

1. Purpose

Establishes procedures for detecting, responding to, and recovering from security incidents affecting Keshless systems and data.

Scope: Security breaches, system compromises, fraud, AML violations, service disruptions

2. Incident Classification

Severity Levels

Severity	Response Time	Examples
CRITICAL	< 15 min	System compromise, active breach, sanctions match
HIGH	< 1 hour	Fraud detected, AML violation, service degradation
MEDIUM	< 4 hours	Suspicious activity, failed intrusion
LOW	< 24 hours	Phishing blocked, policy reminder

Incident Categories

Category	Description
Data Breach	Unauthorized access to data
System Compromise	Malware, unauthorized access
Financial Fraud	Transaction fraud, account takeover
AML Violation	Sanctions match, suspicious patterns
Service Disruption	DDoS, system failure
Insider Threat	Employee misconduct

3. Detection Sources

Automated Detection

Source	Detects
AML Rules Engine	Suspicious transaction patterns
Transaction Monitoring	High suspicion scores (≥80)
Rate Limiting	Brute force, DDoS attempts
Sanctions Screening	UN sanctions list matches
PEP Matching	Politically Exposed Persons

Manual Detection

Source	Examples
User reports	Unauthorized transactions
Employee observations	Suspicious behavior
Vendor notifications	Third-party breaches
Regulatory notices	Regulator-identified issues

4. Emergency Controls (Kill Switches)

Available Controls

Control	Severity	Impact
`SYSTEM_SHUTDOWN`	Critical	All API requests blocked
`DISABLE_ALL_TRANSACTIONS`	Critical	No payments or transfers
`READ_ONLY_MODE`	High	View only, no updates
`DISABLE_WITHDRAWALS`	High	Fraud protection
`DISABLE_P2P_TRANSFERS`	Medium	Block user-to-user
`DISABLE_BILL_PAYMENTS`	Medium	Block bill payments
`DISABLE_TOPUPS`	Medium	Block fund additions
`RATE_LIMIT_EXTREME`	Medium	DDoS protection

Control Decision Matrix

Incident Type	Recommended Control
Active data breach	`SYSTEM_SHUTDOWN`
Widespread fraud	`DISABLE_ALL_TRANSACTIONS`
Withdrawal fraud	`DISABLE_WITHDRAWALS`
P2P fraud scheme	`DISABLE_P2P_TRANSFERS`
DDoS attack	`RATE_LIMIT_EXTREME`
Database compromise	`READ_ONLY_MODE` + `DISABLE_ALL_TRANSACTIONS`

Activation/Deactivation

Activate: POST /api/admin/emergency/activate

Provide controlType and reason

Deactivate: POST /api/admin/emergency/deactivate

Provide controlId and resolution

Status: GET /api/admin/emergency/status

5. Response Phases

Phase 1: Identification

Objective: Confirm incident and assess impact

Verify alert is genuine
Gather initial information (what, when, what systems)
Classify severity
Notify IR Team Lead

Phase 2: Containment

Objective: Prevent further damage

Immediate:

Activate emergency controls
Isolate affected systems
Block compromised accounts
Preserve logs/evidence

Short-term:

Apply temporary fixes
Implement additional monitoring
Brief stakeholders

Phase 3: Eradication

Objective: Remove threat and fix vulnerabilities

Identify root cause
Remove malware/unauthorized access
Patch vulnerabilities
Verify threat eliminated

Phase 4: Recovery

Objective: Restore normal operations safely

Restore from clean backups (if needed)
Deactivate emergency controls (one at a time)
Verify systems functioning
Monitor for recurrence

Phase 5: Lessons Learned

Objective: Improve future response

Post-incident review (within 5 days)
Document timeline and actions
Update procedures
Share findings

6. AML-Specific Response

Sanctions Match Response

Transaction automatically blocked
Account flagged for review
Investigate match accuracy
If true positive: Freeze account, file SAR, report to FIU
If false positive: Document, unblock, mark resolved

Tipping-Off Prohibition

CRITICAL

DO NOT inform the customer that:

They are under investigation
A SAR has been filed
Their transactions are being monitored
They matched a sanctions list

Tipping-off is a criminal offense.

7. Communication Plan

Internal Communication

Severity	Who	When	Method
CRITICAL	CEO, CTO, All IT	Immediate	Phone + Slack
HIGH	CTO, Security Team	< 1 hour	Slack + Email
MEDIUM	Security Lead	< 4 hours	Email
LOW	Security Team	Next day	Email

Regulatory Communication

Regulator	Requirement	Timeframe
Central Bank	Security incidents	Within 72 hours
FIU	SAR filing, sanctions	Immediately
Data Protection	Data breaches	Within 72 hours

Customer Communication

Scenario	Required?	Notes
Data breach	Yes	After containment
Service disruption	Yes	Status page
Account frozen (non-AML)	Yes	SMS/Email
Account frozen (AML)	NO	Tipping-off prohibition

8. Roles and Responsibilities

Role	Responsibilities
Incident Commander	Overall coordination (CTO)
Technical Lead	Investigation, containment
Security Analyst	Forensics, evidence
Compliance Officer	Regulatory notification, SAR
Communications Lead	Internal/external comms

Escalation

CRITICAL → Security → CTO → CEO → Board
HIGH     → Security → CTO
MEDIUM   → Security Lead
LOW      → Security Team (no escalation)

9. Evidence Preservation

Evidence Type	Source	Action
System logs	Cloud Logging	Export to secure storage
Audit logs	PostgreSQL	Database snapshot
Affected data	Application	Snapshot
User sessions	Application	JWT tokens, session data

Chain of Custody:

Document collector and timestamp
Store in access-controlled location
Calculate SHA-256 hash
Log all access

10. Testing

Drill Type	Frequency
Tabletop exercise	Quarterly
Technical drill	Semi-annually
Full simulation	Annually

Drill Scenarios

Data breach simulation
Fraud ring response
Sanctions match handling
DDoS attack response

Quick Reference Cards

Critical Incident Response

┌─────────────────────────────────────────────────┐
│           CRITICAL INCIDENT RESPONSE            │
├─────────────────────────────────────────────────┤
│ 1. CONFIRM incident (not false positive)        │
│ 2. ACTIVATE emergency control                   │
│    - Data breach → SYSTEM_SHUTDOWN              │
│    - Fraud → DISABLE_ALL_TRANSACTIONS           │
│ 3. NOTIFY CTO immediately (phone)               │
│ 4. PRESERVE evidence                            │
│ 5. BEGIN investigation                          │
│ 6. NOTIFY regulators within 72 hours            │
└─────────────────────────────────────────────────┘

AML Alert Response

┌─────────────────────────────────────────────────┐
│              AML ALERT RESPONSE                 │
├─────────────────────────────────────────────────┤
│ 1. REVIEW alert in dashboard                    │
│ 2. INVESTIGATE transactions and customer        │
│ 3. DO NOT contact customer (tipping-off)        │
│ 4. If TRUE POSITIVE:                            │
│    - Freeze account                             │
│    - Draft and file SAR                         │
│ 5. If FALSE POSITIVE:                           │
│    - Document rationale                         │
│    - Mark as RESOLVED_FALSE_POSITIVE            │
└─────────────────────────────────────────────────┘

Document Control: Version 1.0 | January 2026 | Security Team

Incident Response Plan ​

1. Purpose ​

2. Incident Classification ​

Severity Levels ​

Incident Categories ​

3. Detection Sources ​

Automated Detection ​

Manual Detection ​

4. Emergency Controls (Kill Switches) ​

Available Controls ​

Control Decision Matrix ​

Activation/Deactivation ​

5. Response Phases ​

Phase 1: Identification ​

Phase 2: Containment ​

Phase 3: Eradication ​

Phase 4: Recovery ​

Phase 5: Lessons Learned ​

6. AML-Specific Response ​

Sanctions Match Response ​

Tipping-Off Prohibition ​

7. Communication Plan ​

Internal Communication ​

Regulatory Communication ​

Customer Communication ​

8. Roles and Responsibilities ​

Escalation ​

9. Evidence Preservation ​

10. Testing ​

Drill Scenarios ​

Quick Reference Cards ​

Critical Incident Response ​

AML Alert Response ​