# WiBiz Incident Response Plan

**Document:** WiBiz_Incident_Response_Plan_v1.0  
**Owner:** Digital Benefits Pte Ltd  
**Classification:** Internal -- Confidential  
**Version:** v1.0  
**Effective Date:** 15 April 2026  
**Review Cycle:** Annual (next review: April 2027)

---

## 1. Incident Classification

| Priority | Severity | Examples | Response Time |
|----------|----------|----------|---------------|
| P1 -- Critical | Confirmed data breach, full system outage, ransomware, unauthorized access to client data | Immediate (within 15 minutes) |
| P2 -- High | Partial outage affecting client operations, suspected breach under investigation, payment processing failure | Within 1 hour |
| P3 -- Medium | Anomalous activity detected, policy violation by team member, single-channel degradation | Within 4 hours |
| P4 -- Low | Minor configuration error, isolated bug with no data impact, failed login attempts below threshold | Within 24 hours |

**Escalation rule:** Any incident involving client personal data, healthcare data, or payment data is automatically P1 until downgraded by the Incident Commander.

---

## 2. Incident Response Team

| Role | Assigned To | Responsibility |
|------|-------------|----------------|
| Executive Sponsor | CEO (Nick) | Final authority on external communications, regulatory notifications, and budget decisions |
| Incident Commander | Designated Security Lead (TBA -- assign by May 2026) | Owns the incident from detection to closure. Coordinates all response activities. Makes containment decisions. |
| Communications Lead | Chielo | Internal team updates, client notifications, regulatory correspondence drafting |
| Technical Lead | On-call developer / platform admin | Executes containment and recovery actions on affected systems |

**Until a dedicated Security Lead is appointed, the CEO acts as Incident Commander for P1/P2 incidents.**

---

## 3. Response Phases

### Phase 1: Detection
- Monitor alerts from hosting providers (Vercel, cloud CRM platform), payment processors (Stripe, Razorpay), and AI service providers (Anthropic, ElevenLabs).
- Team members report suspected incidents to the Incident Commander immediately via the designated internal channel (WhatsApp group or Discord).
- Log the initial report: who detected it, when, what was observed.

### Phase 2: Containment
- **Short-term (first 30 minutes for P1):** Isolate affected systems. Revoke compromised credentials. Disable affected integrations or API keys. If a client sub-account is compromised, disable its automations immediately.
- **Long-term:** Implement temporary fixes to prevent spread while preserving evidence. Do not wipe logs or redeploy until evidence is preserved.

### Phase 3: Eradication
- Identify and remove the root cause (malicious code, misconfiguration, compromised account).
- Rotate all credentials that may have been exposed: API keys, database passwords, OAuth tokens, service accounts.
- Patch the vulnerability or close the attack vector.

### Phase 4: Recovery
- Restore systems from verified clean backups if needed.
- Redeploy affected services with fixes applied.
- Monitor closely for 48 hours post-recovery for recurrence.
- Confirm with affected clients that service is restored.

### Phase 5: Post-Incident Review
- Conduct within 5 business days of incident closure.
- Use the Post-Incident Review Template (Section 6 below).
- Document lessons learned and assign remediation actions with owners and deadlines.

---

## 4. Communication Plan

| Audience | P1/P2 Timeline | P3/P4 Timeline | Channel |
|----------|----------------|----------------|---------|
| Internal team | Within 1 hour of detection | Within 24 hours | WhatsApp/Discord internal channel |
| CEO (if not already involved) | Immediately for P1, within 1 hour for P2 | Daily summary | Direct message |
| Affected clients | Within 24 hours if their data is affected | Only if service impact is visible | Email + WhatsApp (direct to client contact) |
| PDPC Singapore | Within 72 hours if personal data of Singapore residents is breached | N/A | PDPC breach notification form |
| EU supervisory authority (GDPR) | Within 72 hours if EU personal data is breached | N/A | Relevant authority's notification portal |
| Channel partners (BC360, Anil) | Within 48 hours if their clients are affected | As needed | Email to partner contact |

**Rule:** No external communication goes out without CEO approval. Draft all client and regulatory notifications before sending.

---

## 5. Evidence Preservation

When an incident is detected:
1. Do not restart, redeploy, or wipe any affected system until evidence is secured.
2. Export and preserve: server logs, application logs, access logs, API call records, database query logs.
3. Screenshot any anomalous dashboard states or error messages.
4. Record the chain of custody: who accessed what evidence and when.
5. Store all evidence in a dedicated incident folder: `WiBiz OS/05 Operations/Incidents/[YYYY-MM-DD]-[short-description]/`
6. Retain incident evidence for a minimum of 3 years.

---

## 6. Post-Incident Review Template

```
INCIDENT ID:        [INC-YYYY-MM-DD-001]
PRIORITY:           [P1/P2/P3/P4]
INCIDENT COMMANDER: [Name]
DATE OF INCIDENT:   [YYYY-MM-DD]
DATE OF REVIEW:     [YYYY-MM-DD]

1. WHAT HAPPENED
   [Plain-language summary of the incident]

2. TIMELINE
   [Chronological list: detection time, containment actions, resolution, closure]

3. ROOT CAUSE
   [Technical root cause and contributing factors]

4. IMPACT
   - Systems affected:
   - Clients affected:
   - Data affected (type and volume):
   - Duration of impact:

5. WHAT WENT WELL
   [Actions that worked effectively during response]

6. WHAT NEEDS IMPROVEMENT
   [Gaps in detection, response, or communication]

7. REMEDIATION ACTIONS
   | Action | Owner | Deadline | Status |
   |--------|-------|----------|--------|

8. LESSONS LEARNED
   [Specific changes to prevent recurrence]
```

---

## 7. Key Contact List

| Contact | Name / Entity | Phone | Email | When to Contact |
|---------|---------------|-------|-------|-----------------|
| CEO / Executive Sponsor | Nick | [FILL] | nicklaus@wibiz.ai | All P1, P2 incidents |
| Governance Lead | Chielo | [FILL] | [FILL] | Client/regulatory comms |
| Legal Counsel | [FILL -- appoint by Q3 2026] | [FILL] | [FILL] | Any confirmed data breach |
| PDPC Singapore | Personal Data Protection Commission | -- | https://www.pdpc.gov.sg/overview-of-pdpa/data-protection/business-owner/data-breach-management | Breach involving SG personal data |
| Vercel Support | Vercel | -- | https://vercel.com/support | Platform/hosting incidents |
| Stripe Support | Stripe | -- | https://support.stripe.com | Payment data incidents |
| Anthropic Support | Anthropic | -- | https://support.anthropic.com | AI API incidents |

**Action item:** Fill all [FILL] entries within 30 days of policy adoption.

---

## 8. Annual Tabletop Exercise

- Conduct one tabletop exercise per calendar year simulating a P1 incident scenario.
- Rotate scenarios annually: data breach, ransomware, cloud provider outage, insider threat.
- All Incident Response Team members must participate.
- Document the exercise, findings, and any plan updates in the Incidents folder.
- First exercise deadline: Q3 2026.

---

*End of document. Next review: April 2027.*