ABA Banking Journal
No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
SUBSCRIBE
ABA Banking Journal
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
No Result
View All Result
No Result
View All Result
ADVERTISEMENT
Home Cybersecurity

Six Steps to Building a Resilient Enterprise

October 25, 2018
Reading Time: 5 mins read

By John Doherty and Mark Watson

Cybersecurity and privacy remain at the top of board, C-suite and regulatory agendas. Fears of loss of customer or proprietary data have long been the key concern and are still critically important.

However, the fact that malicious destruction or disablement of data or systems, or even banks, are now clear motives of certain threat actors has quickly moved the discussion to the firm’s resilience against cybersecurity risks. Banks are recognizing that for good business reasons—and to address clients’ and regulators’ concerns—they need to take a fresh and continuous look at their entire cybersecurity and operational risk programs, with a keen eye focused on promoting stronger resilience.

This includes preparing for and limiting the effects and probability of cyber-related disruptions, managing through and recovering from disruptions, and continually improving resilience after past events. Inevitably, this means bridging areas such as cybersecurity, operational and technology resilience, and privacy (see sidebar).

Leading firms focus on six key actions:

1. Govern and challenge cybersecurity and resilience strategy

Strong cybersecurity resilience requires firms to:

  • Establish effective board oversight and challenge. The board needs a solid understanding of the firm’s cyber risk profile and should continue to challenge management on how they are adapting to evolving threats and vulnerabilities.
  • Integrate business, operations and technology. Everyone helps manage cybersecurity risks. The first line—businesses, technology and cybersecurity—prepares for and manages through disruptions. Corporate functions—notably, legal, compliance, regulatory affairs, corporate communications, HR and procurement—play a role. This second line develops the cyber risk framework and assesses how well the first line implements it. Internal audit (the third line) validates the effectiveness of first- and second-line activities.
  • Implement a cascading set of metrics and triggers. The first line needs key risk, controls and performance indicators to manage resilience. Second-line risk metrics tie to the board-approved risk appetite statement. Firms should collect intelligence from external sources (including third parties) and across the organization, including from day-to-day operations, and combine it with cybersecurity intelligence.
Differentiating Cybersecurity from Resilience from Privacy
Firms need to be resilient to a host of risks, including weather-related, technology outages and human error. Cyber risk is just another one to manage in that context. Some aspects of cybersecurity directly support resilience; some are targeted at protecting client and employee privacy; and others focus on the threat of data theft (e.g., of intellectual property). Similarly, aspects of protecting privacy (e.g., mapping data flows) directly support resilience, while support the firm’s overall privacy-risk activities.

2. Focus on what is most important

Firms need a differentiated approach to protecting their most important processes and assets. They should:

  • Take an enterprise-wide, prioritized view of critical processes. Firms need a top-down view on what business processes are most critical to everyday functioning (critical business flow for the organization). Some banks have to determine what processes have an industry-wide role; regulators view those as top priorities.
  • Identify high-value assets. Such assets could be strategic or financial data, intellectual property, sensitive customer data or other confidential data (e.g., executives’ emails).

3. Maintain and practice business-driven resilience plans

Businesses’ own cyber-related resilience plans and must:

  • Map critical business processes from end to end. This includes processes, applications, infrastructure, middleware, people (including subject-matter experts), third parties and data flows, processing alternatives, as well as single points of failure and concentration (such as location, shared services, vendor and infrastructure).
  • Develop robust business impact assessments. BIAs should cover high-value assets, evaluate capacity and capabilities across business, people, process and technology, and address risks that may occur at different times of the day, month and quarter.
  • Maintain well-designed, tested business continuity plans. BCPs should address situations where technology is unavailable and include workarounds and alternate processing options. Makeshift processes should be well-documented and tested regularly, and employees should be trained on how and when to use them.
  • Conduct routine testing and simulations. The first, second and third lines need to conduct routine tests to assess how systems can be penetrated and to identify new vulnerabilities. Firms should conduct simulations against a range of scenarios, from cybersecurity breaches, to technology or third-party outages, to operational or location failures. Worst-case cybersecurity scenarios (e.g., the corruption of production and backup data) should be considered. Routine simulations help build “muscle memory” at the senior management and board levels, as well as across the firm at less senior levels, so leaders and those executing continuity plans are ready to address events in a logical and controlled manner. Firm should use results—and real-life disruptions—to improve.

4. Make sure technology is resilient

Technology is important, so firms should:

  • Segment critical systems and implement isolated recovery. Too often in breaches, attackers enter through less-protected systems and maneuver to critical systems. Firms should segment networks and systems, limit points of attack and entry, and implement a means for isolated recovery of data when it is compromised.
  • Harden access rights. Firms should re-assess access privileges when individuals are promoted or transferred, especially for employees who access critical systems. Access rights of third parties (especially client-hosted platforms)—and in some cases, clients—need ongoing vigilance. Firms are using new identity and access management approaches to address this risk, including more effective automated solutions.
  • Address IT obsolescence. Every firm has a strategy for managing system obsolescence, including end-of-life and end-of-service hardware and software. Firms need an explicit strategy for reducing dependency on redundant systems and validating that IT obsolescence does not create critical-process vulnerabilities. Strong patch management is important.
  • Consider new approaches to store data. Many firms are re-examining how they support local and remote high availability and recovery for critical systems and data, including an enhanced role for cloud technologies.

5. Manage critical third and fourth parties

Because financial institutions increasingly depend on third parties (and even fourth parties), they must:

  • Implement robust and well-tested vendor resilience and cybersecurity practices. Firms should validate that third parties have the same level of resilience they do and that they can get their systems back up quickly after disruptions, especially prolonged ones. For critical vendors, this can include site visits and simulated outages. From a privacy perspective, firms need to validate they have the ability and authority to securely move customer data from one place or vendor to another, if needed during a disruption.
  • Monitor critical vendors. Firms need to build contractual terms into service-level agreements that permit key risk and performance resilience indicators that the third party has to deliver against. Firms can leverage performance data to monitor key vendors on a real-time or near-real-time basis—for example, to spot greater-than-expected system latency.
  • Analyze fourth-party dependencies. The financial services industry is complex, and some vendors support a range of firms either directly or indirectly (as fourth parties). Banks should identify where fourth-party concentrations exist and factor that into continuity plans.

6. Detect, respond and recover effectively

Firms will experience disruptions, some of which will be cybersecurity or privacy related, so they need to:

  • Maintain a documented and tested crisis management framework. This should link the various incident response programs (e.g., cybersecurity, technology, HR, financial), and include protocols on how and when to invoke crisis management (and when necessary, disaster recovery).
  • Involve cybersecurity and privacy in all major events. Sometimes an event that is unrelated to cybersecurity or privacy risks quickly becomes one as bad actors seek to take advantage. The cyber and privacy teams should be engaged early in disruptions and be on heightened vigilance until they are properly extinguished.
  • Establish post-event de-escalation and recovery protocols. Firms need post-cybersecurity event protocols, processes to verify the completeness and accuracy of information, and a means to recover data in a ransomware situation so backup data does not get corrupted. Protocols should also require documentation of decisions taken through the event, especially those accepting more risk than normal. In addition, firms should conduct a post-mortem review to assess response, both what went well and what could be improved, and action-needed enhancements.

Maintaining firmwide resilience amid ever-growing cyber threats is increasingly difficult. It requires firms to connect myriad processes and plans, and broad swaths of the firm’s businesses, functions and senior leadership. However, such resilience is increasingly gaining importance. The stability of firms, banks and the market as a whole is at stake.

John Doherty is a partner, and Mark Watson an executive director, at Ernst & Young LLP.

ADVERTISEMENT
Tags: Cloud computingCybersecurityData breachesDisaster preparednessEnterprise risk managementRisk managementThird-party risk
ShareTweetPin

Related Posts

Using Artificial Intelligence to Make Sense of Mountains of Data

Three myths about AI in banking

Technology
July 3, 2025

Common myths and misperceptions might confuse about what to expect and misdirect investment and efforts.

Banking forward: What is top of mind for 2025? 

ABA survey: Most banks likely to stick with current core provider

Newsbytes
July 2, 2025

While 69% of bankers are "extremely" or "somewhat likely" to remain with their current core provider at the next renewal, when they do pursue core conversions, the primary reason is poor customer service, according to ABA's survey results.

BIS: Stablecoins fail as ‘sound money’

BIS: Stablecoins fail as ‘sound money’

Compliance and Risk
June 27, 2025

Stablecoins as a form of sound money fall short, and without regulation pose a risk to financial stability and monetary sovereignty, according to a recent report by the Bank for International Settlements.

OCC seeks comment on digitalization challenges for community banks

ABA offers recommendations to boost community bank digitalization

Community Banking
June 26, 2025

The OCC should proactively support responsible community bank digitalization through transparency, information sharing and meaningful dialogue with stakeholders, ABA said.

Fannie, Freddie directed to consider allowing cryptocurrency for mortgages

Fannie, Freddie directed to consider allowing cryptocurrency for mortgages

Mortgage
June 26, 2025

Federal Housing Finance Agency Director Bill Pulte directed Fannie Mae and Freddie Mac to prepare proposals to allow cryptocurrency to count as an asset for a mortgage.

Fed’s Waller: FedNow grows to nearly 1,000 institutions

FedNow adds risk mitigation feature, boosts transaction limit

Newsbytes
June 25, 2025

The FedNow instant payments service this week announced it has launched a new account activity threshold feature and raised its transaction limit from $500,000 to $1 million.

NEWSBYTES

Survey: High interest rates make bank customers want to spend less

July 7, 2025

Texas Bankers Foundation creates donations page in aid of Texas flood victims

July 7, 2025

OCC allows Texas banks affected by flooding to close

July 7, 2025

SPONSORED CONTENT

Navigating Disruption in Ag Lending – Why Tariffs Are Just the Tip of the Iceberg

Navigating Disruption in Ag Lending – Why Tariffs Are Just the Tip of the Iceberg

July 1, 2025
AI Compliance and Regulation: What Financial Institutions Need to Know

Unlocking Deposit Growth: How Financial Institutions Can Activate Data for Precision Cross-Sell

June 1, 2025
Choosing the Right Account Opening Platform: 10 Key Considerations for Long-Term Success

Choosing the Right Account Opening Platform: 10 Key Considerations for Long-Term Success

April 25, 2025
Outsourcing: Getting to Go/No-Go

Outsourcing: Getting to Go/No-Go

April 5, 2025

PODCASTS

Podcast: Inside ABA’s new Treasury Check Verification System API

June 25, 2025

Podcast: Staying close to clients amid tariff-driven volatility

June 18, 2025

Podcast: Old National’s Jim Ryan on the things that really matter

June 12, 2025
ADVERTISEMENT

American Bankers Association
1333 New Hampshire Ave NW
Washington, DC 20036
1-800-BANKERS (800-226-5377)
www.aba.com
About ABA
Privacy Policy
Contact ABA

ABA Banking Journal
About ABA Banking Journal
Media Kit
Advertising
Subscribe

© 2025 American Bankers Association. All rights reserved.

No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive

© 2025 American Bankers Association. All rights reserved.