By Debra Cope
On July 19, 2024, IT chaos flowed across the global business landscape — but not because of a malicious act. The culprit was a faulty software update from CrowdStrike — ironically, a company that specializes in protecting businesses from cyberthreats. The glitch grounded commercial airlines, disrupted 911 emergency call centers and wreaked havoc with the banking system. Many banks were unable to complete transactions or field incoming calls.
This article is from the September-October 2024 edition of ABA Banking Journal Directors Briefing. Subscribe here.
Maintaining operational continuity during events such as natural disasters, severe weather, and IT disruptions is crucial for depository institutions. This approach not only preserves the integrity of the nation’s payment system but also reinforces customer trust in the banking sector. It falls on the board to ensure that management is equipped with comprehensive plans and procedures to handle a wide range of scenarios, including emerging threats like cyberterrorism.
While it’s impossible to predict every potential challenge a bank might face, having robust business resumption and contingency plans enables both the board and management to navigate emergencies effectively. A well-crafted plan provides a strategic framework for decision-making and helps institutions quickly recover and resume operations, regardless of the scale of the disruption.
What are some of the contingencies banks need to plan for? Here is a sampling, and some reminders that “it can happen here.”
Extreme weather. Many banks are old hands at coping with the Atlantic hurricane season, which runs from June to November. Newer climate-related perils have also arisen, such as wildfires and droughts. These events don’t just threaten the banks that are in their paths—they also have the potential to impact their loan portfolios, which may be secured by vulnerable assets. Emergency planning steps banks undertake may include testing phone lines, inspecting properties for potential storm-related hazards, identifying staff with generators and underground power lines at home and giving workers time off to prepare their home offices.
Natural disasters. Earthquakes loom large in banking lore. Amid the devastation of the 1906 earthquake that leveled San Francisco, Bank of America founder A.P. Giannini famously set up a temporary bank by taking to the street. Plunking down a plank across two barrels, he made loans on a handshake. Banks that operate in earthquake zones need to prepare for their facilities to be damaged or destroyed, creating a need for alternate facilities. They also need to prepare for the destabilizing impact on depositors and borrowers.
Malicious events. Unfortunately, tragedies remind us that the risk of workplace violence is real. On April 10, 2023, a mass shooting took place at an Old National Bank office in Louisville, Kentucky. The attack resulted in the deaths of five individuals and left eight others wounded, including two police officers who were responding to the scene. The assailant, 25-year-old former employee, was killed by law enforcement officers. Helping employees and customers take an active role in their safety is the priority in these scenarios.
Technology and cybersecurity events. Third-party risks. Phishing. Ransomware. Generative AI. The list of cyberthreats to banks seems to spread like a malignancy. Banks need to prepare for the possibility that hackers are not just loners in hoodies — they could be salaried employees working at operations with well-staffed call centers and other professional trappings.
Public health emergencies. Back in 2006, the spread of Avian flu across Asia prompted federal banking regulators to issue interagency guidance on influenza pandemic preparedness. The guidance was prescient, helping many banks to prepare for the COVID-19 pandemic that struck 14 years later. Elements included assessing the impact of significant and sustained employee absences, establishing work-from-home protocols and practicing good hygiene.
The list goes on, and includes reputational risk, financial crises like the bank runs that occurred in the spring of 2023, and the “unknown unknowns.”
