Home / Trust / Incident response

Incident response.

Escalation paths, customer notification SLAs, APRA CPS 234 alignment, and what happens after an incident closes. No softening.

Escalation paths

All security events enter a single intake queue monitored by the on-call engineer. The on-call engineer is responsible for initial triage within one hour of detection. Triage produces a severity classification that determines the escalation path:

  • P1. Critical. Confirmed or probable data breach, service-wide unavailability, or active compromise of infrastructure. Incident lead notified immediately. Customer notification process starts within two hours of P1 classification. Regulatory notification assessment starts in parallel.
  • P2. High. Suspected breach under investigation, significant service degradation affecting multiple customers, or failed access-control enforcement. Incident lead notified within one hour. Customer notification assessment begins if P2 is not resolved or downgraded within four hours.
  • P3. Standard. Single-customer service issues, failed monitoring alerts with no data impact, or anomalous activity with no confirmed breach. On-call engineer handles; no immediate customer notification unless the issue escalates.

Customer notification SLAs

Initial notice
24 hours
From confirmed breach · Privacy Act NDB scheme requirement
Detail notice
72 hours
Scope, data categories affected, and immediate remediation taken
Post-incident report
14 days
Root cause, timeline, corrective actions, and control changes

The initial 24-hour notice goes to the primary technical contact and the account Admin for every affected customer. It states what we know, what we do not yet know, and what we are doing. We do not wait until we have a complete picture before notifying; we notify as soon as a breach is confirmed and update as the investigation progresses.

For breaches that trigger the Privacy Act Notifiable Data Breaches scheme, Fydis also notifies the Australian Information Commissioner within the required timeframe. Customers are informed when a regulatory notification has been made.

CPS 234 alignment

Fydis’s incident classification model is aligned to APRA Prudential Standard CPS 234, which defines a “material information security incident” as one that has, or could have, a material impact on the ability of the entity (or its service recipient) to maintain the integrity, confidentiality, or availability of information assets. Under this definition:

  • P1 incidents are classified as material and trigger the CPS 234 notification process.
  • P2 incidents are assessed for materiality within four hours; confirmed material P2 incidents escalate to the same notification path as P1.
  • P3 incidents are logged but not treated as material unless they escalate.

Customers in the APRA-regulated sector can request the CPS 234 incident classification matrix and the board reporting template used for the quarterly information security review.

Post-incident transparency

Within 14 days of an incident being closed, Fydis publishes a post-incident report to all affected customers. The report covers:

  • Timeline from first detection to containment and closure.
  • Root cause and contributing factors.
  • Data categories and customer accounts affected.
  • Immediate remediation steps taken during the incident.
  • Corrective actions and control changes implemented or scheduled as a result.

Root-cause findings are not redacted. If the incident resulted from a control gap, the report says so and describes how that gap is being closed.

Testing cadence

The incident response plan is tested annually via a tabletop exercise with the team and security advisors. The exercise uses a realistic scenario drawn from the threat model for AU regulated-entity data. Findings are documented and used to update the plan. The tabletop date and a summary of findings are available to Enterprise customers on request.

Walk a CPS 234 incident scenario with the team.

30 minutes. We run a realistic incident from the threat model against the live sign-off chain, showing notification timing, classification matrix, and the regulator-facing artefact at the end. Bring your contract’s notification clauses.

Questions? Email hello@abrlabs.io to request the CPS 234 incident classification matrix, the tabletop exercise findings, or to discuss incident notification requirements for your contract.