How a Business Continuity Plan can Help Financial Institutions Stay Secure and Hold on to Trust

A BCP is a collection of procedures and information that ensures critical business processes continue during emergencies when disaster strikes or there is a cybersecurity breach..

July 26, 2018 by Patrick, Whelan, Practice Director for Finance IT Services

Business_Continuity_BlogFor financial institutions, trust is an intangible but essential asset. System downtime, due to a natural disaster or cyber-attack, can easily damage the bond of trust a bank has with its clients. Lost confidence is something financial institutions only very rarely recover from and why Business Continuity Planning (BCP) matters.

While it's important for BCPs to focus on the impact physical threats and natural disasters can have on key business processes, financial institutions must take one more eventuality into account: the threat of cyber-attacks to the integrity and security of customer data. Procedures need to be in place that ensure quick recovery and immediate resumption of business activities.

Key Considerations in Establishing a BCP

Key components of BCPs for financial institutions include a business continuity strategy, business impact analysis, risk assessment, and risk monitoring and testing activities.

A good plan always considers prior preparations that reduce the probability and impact of an incident; steps to take during the incident; and procedures to resume operations to as close to normal levels in as short a time as possible.

The plan considers (among other things) personnel, facilities, communication, electronic payment systems, liquidity concerns, financial disbursements, manual operations, other considerations necessary for operations, and most notably cyber resilience.

Finally, any good BCP seeks to manage not just the incident itself, but also the perception of the incident by clients, regulators and the public.

Defining and establishing a BCP plan takes careful planning and expertise.  For financial institutions with limited resources, a virtual Information Security Officer (vISO) service can be a valuable alternative.

Stopping Cyber-Attacks Before They Begin

Unfortunately, financial institutions are a target for cyber-attackers, who value the confidential consumer information these institutions have. Luckily, developing a proactive approach to cyber-resilience can help in lessening the risk of an attack.

Developing a cybersecurity component of an organization-wide BCP can minimize the impact of a cybersecurity disaster in the offing. Written as an extension of the organization-wide BCP, the cybersecurity BCP can incorporate the same recovery time objectives (RTOs), recovery point objectives (RPO), and recovery of the critical path as the original; but provide specific scenarios that address the most prevalent types of cyberattacks.

The cybersecurity BCP should specifically address the recovery steps for each cybersecurity scenario. During the annual full test of the BCP, specific cybersecurity testing scenarios can be utilized to ensure that the cybersecurity BCP will be effective in a real life attack.

A Tool to Assess Security

For the Federal Financial Institutions Examination Council (FFIEC), an inter-agency body of financial regulators, assessing institutional responses to cyberattacks is of paramount importance.

As financial organizations are especially vulnerable to mass-scale cyberattacks, the FFIEC recommends that stakeholders assess their own vulnerability by using their Cybersecurity Assessment Tool.

The Cybersecurity Assessment Tool helps institutions identify their particular risks and test their organization's cybersecurity preparedness. For stakeholders taking the test, it becomes immediately apparent that developing a cybersecurity BCP as part of one's information security program is now priority one.

Financial institutions realize that trust is quite hard to hold on to, but putting a BCP in place gives them a chance to hold on to hard-won trust with a lot more confidence.