By John Doherty and Mark Watson
Cybersecurity and privacy remain at the top of board, C-suite and regulatory agendas. Fears of loss of customer or proprietary data have long been the key concern and are still critically important.
However, the fact that malicious destruction or disablement of data or systems, or even banks, are now clear motives of certain threat actors has quickly moved the discussion to the firm’s resilience against cybersecurity risks. Banks are recognizing that for good business reasons—and to address clients’ and regulators’ concerns—they need to take a fresh and continuous look at their entire cybersecurity and operational risk programs, with a keen eye focused on promoting stronger resilience.
This includes preparing for and limiting the effects and probability of cyber-related disruptions, managing through and recovering from disruptions, and continually improving resilience after past events. Inevitably, this means bridging areas such as cybersecurity, operational and technology resilience, and privacy (see sidebar).
Leading firms focus on six key actions:
1. Govern and challenge cybersecurity and resilience strategy
Strong cybersecurity resilience requires firms to:
- Establish effective board oversight and challenge. The board needs a solid understanding of the firm’s cyber risk profile and should continue to challenge management on how they are adapting to evolving threats and vulnerabilities.
- Integrate business, operations and technology. Everyone helps manage cybersecurity risks. The first line—businesses, technology and cybersecurity—prepares for and manages through disruptions. Corporate functions—notably, legal, compliance, regulatory affairs, corporate communications, HR and procurement—play a role. This second line develops the cyber risk framework and assesses how well the first line implements it. Internal audit (the third line) validates the effectiveness of first- and second-line activities.
- Implement a cascading set of metrics and triggers. The first line needs key risk, controls and performance indicators to manage resilience. Second-line risk metrics tie to the board-approved risk appetite statement. Firms should collect intelligence from external sources (including third parties) and across the organization, including from day-to-day operations, and combine it with cybersecurity intelligence.
Firms need to be resilient to a host of risks, including weather-related, technology outages and human error. Cyber risk is just another one to manage in that context. Some aspects of cybersecurity directly support resilience; some are targeted at protecting client and employee privacy; and others focus on the threat of data theft (e.g., of intellectual property). Similarly, aspects of protecting privacy (e.g., mapping data flows) directly support resilience, while support the firm’s overall privacy-risk activities.
2. Focus on what is most important
Firms need a differentiated approach to protecting their most important processes and assets. They should:
- Take an enterprise-wide, prioritized view of critical processes. Firms need a top-down view on what business processes are most critical to everyday functioning (critical business flow for the organization). Some banks have to determine what processes have an industry-wide role; regulators view those as top priorities.
- Identify high-value assets. Such assets could be strategic or financial data, intellectual property, sensitive customer data or other confidential data (e.g., executives’ emails).
3. Maintain and practice business-driven resilience plans
Businesses’ own cyber-related resilience plans and must:
- Map critical business processes from end to end. This includes processes, applications, infrastructure, middleware, people (including subject-matter experts), third parties and data flows, processing alternatives, as well as single points of failure and concentration (such as location, shared services, vendor and infrastructure).
- Develop robust business impact assessments. BIAs should cover high-value assets, evaluate capacity and capabilities across business, people, process and technology, and address risks that may occur at different times of the day, month and quarter.
- Maintain well-designed, tested business continuity plans. BCPs should address situations where technology is unavailable and include workarounds and alternate processing options. Makeshift processes should be well-documented and tested regularly, and employees should be trained on how and when to use them.
- Conduct routine testing and simulations. The first, second and third lines need to conduct routine tests to assess how systems can be penetrated and to identify new vulnerabilities. Firms should conduct simulations against a range of scenarios, from cybersecurity breaches, to technology or third-party outages, to operational or location failures. Worst-case cybersecurity scenarios (e.g., the corruption of production and backup data) should be considered. Routine simulations help build “muscle memory” at the senior management and board levels, as well as across the firm at less senior levels, so leaders and those executing continuity plans are ready to address events in a logical and controlled manner. Firm should use results—and real-life disruptions—to improve.
4. Make sure technology is resilient
Technology is important, so firms should:
- Segment critical systems and implement isolated recovery. Too often in breaches, attackers enter through less-protected systems and maneuver to critical systems. Firms should segment networks and systems, limit points of attack and entry, and implement a means for isolated recovery of data when it is compromised.
- Harden access rights. Firms should re-assess access privileges when individuals are promoted or transferred, especially for employees who access critical systems. Access rights of third parties (especially client-hosted platforms)—and in some cases, clients—need ongoing vigilance. Firms are using new identity and access management approaches to address this risk, including more effective automated solutions.
- Address IT obsolescence. Every firm has a strategy for managing system obsolescence, including end-of-life and end-of-service hardware and software. Firms need an explicit strategy for reducing dependency on redundant systems and validating that IT obsolescence does not create critical-process vulnerabilities. Strong patch management is important.
- Consider new approaches to store data. Many firms are re-examining how they support local and remote high availability and recovery for critical systems and data, including an enhanced role for cloud technologies.
5. Manage critical third and fourth parties
Because financial institutions increasingly depend on third parties (and even fourth parties), they must:
- Implement robust and well-tested vendor resilience and cybersecurity practices. Firms should validate that third parties have the same level of resilience they do and that they can get their systems back up quickly after disruptions, especially prolonged ones. For critical vendors, this can include site visits and simulated outages. From a privacy perspective, firms need to validate they have the ability and authority to securely move customer data from one place or vendor to another, if needed during a disruption.
- Monitor critical vendors. Firms need to build contractual terms into service-level agreements that permit key risk and performance resilience indicators that the third party has to deliver against. Firms can leverage performance data to monitor key vendors on a real-time or near-real-time basis—for example, to spot greater-than-expected system latency.
- Analyze fourth-party dependencies. The financial services industry is complex, and some vendors support a range of firms either directly or indirectly (as fourth parties). Banks should identify where fourth-party concentrations exist and factor that into continuity plans.
6. Detect, respond and recover effectively
Firms will experience disruptions, some of which will be cybersecurity or privacy related, so they need to:
- Maintain a documented and tested crisis management framework. This should link the various incident response programs (e.g., cybersecurity, technology, HR, financial), and include protocols on how and when to invoke crisis management (and when necessary, disaster recovery).
- Involve cybersecurity and privacy in all major events. Sometimes an event that is unrelated to cybersecurity or privacy risks quickly becomes one as bad actors seek to take advantage. The cyber and privacy teams should be engaged early in disruptions and be on heightened vigilance until they are properly extinguished.
- Establish post-event de-escalation and recovery protocols. Firms need post-cybersecurity event protocols, processes to verify the completeness and accuracy of information, and a means to recover data in a ransomware situation so backup data does not get corrupted. Protocols should also require documentation of decisions taken through the event, especially those accepting more risk than normal. In addition, firms should conduct a post-mortem review to assess response, both what went well and what could be improved, and action-needed enhancements.
Maintaining firmwide resilience amid ever-growing cyber threats is increasingly difficult. It requires firms to connect myriad processes and plans, and broad swaths of the firm’s businesses, functions and senior leadership. However, such resilience is increasingly gaining importance. The stability of firms, banks and the market as a whole is at stake.
John Doherty is a partner, and Mark Watson an executive director, at Ernst & Young LLP.