By David Halford:

A vital component of our nation’s critical infrastructure is the financial services sector, and risk management professionals in this industry understand the importance of protecting an organization against weather disasters and cyberattacks. In the case of cybersecurity, recent disasters like the Equifax data breach serve as a dour reminder that it’s not enough to just respond; an organization must have a defined program to protect the business in the face of unrelenting hackers and attackers, which cannot be ignored.

Preparing for the Worst: Why financial institutions can’t afford to ignore risk management and business continuity in the face of cyber attacks

Events like cyber crisis response goes beyond firewalls and secure networks – you need a defined plan for the business and assurance that works for any situation

Financial institutions lie on a foundation of trust – from the customer to its employee. Without trust, a financial institution is nothing. Banks can face many disruptions that affect the way the organization runs and how it manages its customers and company data.

Cyberattacks have been a common trend in the financial industry in the last decade or so. We have seen the kind of damage that can be done when these kind of disruptions take place in an organization.

According to the Financial Threats Review 2017 Symantec Report, although they have seen 36 percent decrease in detection numbers for financial malware in 2016, it was mainly due to earlier detection in the attack chain and more focused attacks. Yet, with more than 1.2 million annual detections, the financial threat space is still 2.5 times bigger than that of ransomware. Cyberattacks are still a large threat to financial institutions.

Financial institutions cannot afford to ignore business continuity and risk management because:

• You can lose the trust of your customers, stockholders and employees
• The financial burden may be greater internally and externally
• If a disaster like a cyberattack were to strike, the recovery process may take a significant amount of time

Fortunately, risk management professionals in the financial sector can take some proactive steps to protect their organizations and ensure an effective business response when cyber crises strike:

Establish a base line. Before building a cyber-crisis plan, the organization must define the levels of acceptable – and unacceptable – risk for operational disruption in each area of the company, and identify the strategies and investments needed to achieve and maintain tolerable levels. While data protection requirements are absolute, the balancing act between operational resilience versus tolerable service outages or business downtime is necessary, because vulnerabilities and threats are endless, but the funds to address them are not.

Align risk management resources. Cyber-crisis plans need to be developed and maintained in alignment with the requirements and cadence of the organization’s business continuity and disaster recovery programs. A comprehensive approach to an overall program enables risk management professionals to work in tandem with IT, security, and business continuity teams to ensure all parties have the same understanding of the cyber-crisis plan and that it has been well tested and shows readiness and maturity. Such capabilities come only by starting with well-aligned resources and a comprehensive approach.

Review current policies, processes, and tools. The goal is to understand current capabilities from an operational perspective – if a cyber-threat occurs, how are business operations impacted? A thorough process includes determining whether there is an end-to-end system in place to ensure the protection of all identified data assets.

What gaps have been identified in technologies, facilities, third parties, processes and people? How do they impact prevention, response, and recovery? Does the cyber-crisis plan address all the major types of cyber vulnerabilities, with an understanding of the potential outage durations and recovery time objectives? While business continuity and IT disaster recovery plans address business impact, cyber threats represent very different types of disruptions than have typically been considered in traditional plans.

Build the plan. A plan should establish a management methodology for how all employees conduct themselves during a cyber-crisis. Establish when and how to create a command center to respond to the crisis on a reactive level, with IT physically working to secure information and back up data – but don’t forget about the communications aspect of the plan.

In compliance with regulatory requirements, and as a good business practice, there must be defined processes to notify employees and stakeholders, as well as customers and external entities, of a disruption, outage or breach. One of the toughest – but most important – aspects of a cyber-event revolves around who alerts customers, who speaks to the media, who works with authorities, and when that should happen. Response times and the messaging can impact the business more than the actual event.

Design different response and recovery plans for different scenarios. It’s crucial to understand the scope, preparation, and identification of the various types of issues that can occur and how best to respond. An organization must effectively orchestrate its response based on the scenario, assigning specific actions to specific individuals as the situation requires.

In the financial sector, three main events to plan for include ransomware attacks, data corruption, and data breaches/information theft. All of these scenarios require specific procedures and steps to ensure the proper response, and a swift recovery, for customers and stakeholders, the business, and the brand.

Ensure validation by testing, testing, testing. It’s not enough to have a plan on paper; an organization must establish and continuously maintain capabilities to ensure an effective response, and the way to do that is to test it.

Plan tabletop exercises to ensure people are ready. Put responsible teams and individuals in a room and testing their ability to react to various scenarios. Exercise multiple plans under given scenarios to ensure disparate groups will work together in a coordinated response. Run simulations to fully exercise the crisis command center with all of the plans and associated groups involved.

Additionally, consider coordinating recurring cyber security awareness training for your organization with these tabletops, exercises, and simulations.

Establish governance. A cyber-crisis plan is not solely IT’s responsibility. To ensure an effective response within tolerable levels of risk and business impact, risk management professionals must ensure a comprehensive program is established and maintained across all affected business areas, so people and plans are successful when called upon to act.

Cyber risk management is a critical area that needs to be planned for, governed and exercised – not an optional activity – and must be one part of an organization’s overall risk management strategy. It simply cannot be ignored.

It is no surprise that financial institutions, like TBK Bank, with 55 branches, and multiple ATMs has chosen a risk management plan based on their customer demands and privacy. Fusion Risk Management recently created a case study on why TBK Bank decided to pursue a business continuity plan that has helped them mitigate risk as they continue to grow and mature, which you can read here.

About the Author: David Halford is director of advisory services for Fusion Risk Management. He can be reached at dhalford@fusionrm.com.