HECVAT Category
Incident Handling
Incident Handling covers controls and questions related to that domain. It outlines expectations institutions typically require from vendors. The category helps assess risk posture and operational maturity. It provides structure for consistent evaluation during security reviews.
Assessment Questions
Do you have a formal incident response plan?
At issue is whether your organization maintains a formal, documented incident response plan for handling security incidents in a structured way. A formal incident response plan is a documented set of procedures that outlines how your organization will detect, respond to, and recover from security incidents.
Do you either have an internal incident response team or retain an external team?
Incident response capacity is under review: the question is whether you maintain a dedicated response team, staffed internally or retained from an external provider.
Do you have the capability to respond to incidents on a 24 x 7 x 365 basis?
Round-the-clock readiness is what's being checked, meaning your ability to respond to security incidents at any hour, on any day, every day of the year.
Do you carry cyber-risk insurance to protect against unforeseen service outages, data that is lost or stolen, and security incidents?
Cyber-risk insurance is the subject here, the specialized coverage that helps absorb the financial fallout of service outages, lost or stolen data, and security incidents.
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

