Skip to content
← Playbooks
Security · Liaison-led

Security incident: the first 48 hours

What a vetted agency does in the first 48 hours of a confirmed or suspected security incident. The window where the mark is most at risk. And most defensible.

Audience · Agencies9 min read
01

Hour 0. Confirm and contain

Trigger is any of: credential exposure, unauthorized access, data exfiltration, or material loss of an audit trail. 'We think we may have' is sufficient. Wait for certainty and the window has already closed.

Agency notifies the liaison within two hours of trigger, in writing, with the facts that are confirmed and a clean separation from the facts that are not. Speculation is named as speculation.

02

Hours 2–24. Disclose and document

Liaison and agency owner draft a joint written notice to affected buyers. Plain language, no qualifiers, named impact, named remediation in progress, named next update window.

Notice goes from the agency, not from Prevouched. The liaison is on the To line and is referenced as the standing accountability contact for follow-up.

Internal post-mortem timer starts now. Drafting begins before the incident closes.

03

Hours 24–48. Post-mortem and rubric review

Post-mortem draft completed within 48 hours. Public version redacts customer data; full version goes to Prevouched reviewer panel.

Reviewer panel scores the incident against the Security pillar of the rubric. Three outcomes: no change, observation note on file, or material rubric event. The last opens revocation review.

Disclosure to the directory: if the incident materially affects the badge's assertions, the verification page reflects status change within five business days.

Takeaways
  • 01Trigger to liaison-notified in writing: ≤ 2 hours, even on incomplete facts.
  • 02Buyer notification goes from the agency, with the liaison on the To line.
  • 03Post-mortem draft exists within 48 hours; reviewer panel scores it against the rubric.