Decision Memo: Freeze the Account or Preserve Access?

Immediate suspension can stop harm, destroy visibility or lock out the only operator who can keep the institution moving. Choose by consequence.

The answer

A critical account shows suspicious activity. The team can freeze it immediately, preserve access while observing, or move the user into a controlled replacement identity. The wrong reflex can either extend the attack or destroy the institution’s only path to evidence and continuity.

Situation

A critical account shows suspicious activity. The team can freeze it immediately, preserve access while observing, or move the user into a controlled replacement identity. The wrong reflex can either extend the attack or destroy the institution’s only path to evidence and continuity.

Option A — freeze now

Use an immediate freeze when the account can still move money, export sensitive data, reset other identities, alter evidence or create physical risk. Freeze associated sessions and recovery routes, not only the username.

Cost: operations may stop, volatile evidence may disappear from the user interface and an attacker may change tactics.

Option B — preserve and observe

Use observation only when competent responders have sufficient telemetry, the suspected activity cannot create intolerable consequence during the observation window and legal authority is clear. Observation is not an excuse to delay a difficult decision.

Cost: the adversary may continue acting, discover monitoring or reach a more damaging asset.

Option C — controlled migration

Create a clean identity for legitimate work, transfer only necessary authority and place the suspect account into restricted observation. This is often the strongest option for executives and operators whose complete removal would create a second crisis.

Cost: rushed transfers can copy compromised sessions or grant duplicate authority.

Decision rule

- Freeze when consequence can occur faster than the team can observe and intervene.

- Observe only when the possible consequence is bounded and evidence value is material.

- Migrate when continuity is critical and authority can be reconstructed cleanly.

Recommendation

Before the incident, classify accounts by maximum consequence and pre-authorise the containment action for each class. During the incident, record decision time, evidence, maximum tolerated loss, continuity dependency, legal owner and next review point.

The objective is not to preserve access or destroy it. It is to preserve legitimate authority while removing the adversary’s ability to exercise it.

Sources

  1. NIST Cybersecurity Framework 2.0NIST Cybersecurity Framework 2.0

    Primary authority

  2. FINMA — Cyber risksFINMA

    Primary authority

Adam J. De CollibusFounding Partner, Svperior / Systems Engineering

Jonathan P. De Collibus

Jonathan co-founded Svperior in 2014 and leads its cyber practice. His work sits where adversarial pressure, technical architecture, and consequential decisions meet, with experience across clinical, financial, public-sector, and private-client systems where confidentiality, continuity, and technical correctness carry material consequences.

Cyber strategy / Adversarial assessment / Security architecture / Private systems

Need to apply this to a specific situation?

Send us the initial context. If the matter fits, we will respond directly.

Send private inquiry
Decision Memo: Freeze the Account or Preserve Access?