Roadmap to Recovery: Cyber Resilience is More Than Just a Business Continuity Plan

With the increasing frequency of cyber-attacks in the financial industry, community banks need an effective strategy to measure and control these risks, and a program of cyber resilience may just fit the bill. The concept of cyber resilience provides a different way of thinking about an institution’s information security processes. Rather than simply focusing only on preventive controls, cyber resilience also focuses on corrective controls, such as having solutions in place to continue business operations should an attack occur. Cyber resiliency ultimately refers to the preparations that an organization makes in regard to preventing threats and vulnerabilities (the defenses that have been developed and deployed), the responsive controls available for mitigating a security failure once it occurs, and its post-attack recovery capabilities (or corrective controls).

More than a BCP

While the Business Continuity Plan (BCP) has become a de facto framework for guiding an institution through the process of recovery from any unplanned event, including a cyber-attack (the word “cyber” is mentioned 49 times in the FFIEC BCP Handbook), cyber resiliency is far more than just developing and executing your bank’s BCP. Business recovery plans are often ill prepared to address non-traditional disasters. For example, continuity plans often rely on the geographic separation of production and backup facilities in the event of a natural disaster. Cyber attacks, however, are not geographically specific and can (and will) affect facilities and operations located anywhere in the world. Attacks can target both the financial institution directly as well as its backup facility, located elsewhere; or a financial institution along with its third-party service providers (TSP) simultaneously. All of these situations require special consideration and preparations that go well beyond traditional BCP planning.

Common Cyber Risks

The cyber risk and threat landscape is broad and continually changing. Some of the most common cyber risks financial institutions should be prepared for include:

• Malware
• Insider Threats
• Data or Systems Destruction and Corruption
• Communication Infrastructure Disruption, and
• Simultaneous Attack on Financial Institution and Third-Party Service Provider

Recommended Controls

Being truly cyber resilient is essential for community banks and their vendors. According to Appendix J of the FFIEC’s BCP Handbook, financial institutions should implement the following controls to successfully achieve cyber resiliency:

• Data backup architectures and technology that minimize the potential for data
  destruction and corruption
• Data integrity controls
• Independent, redundant alternative communications providers
• Layered anti-malware strategy
• Enhanced disaster recovery planning to include the possibility of simultaneous attacks
• Increased awareness of potential insider threats
• Enhanced incident response plans reflecting the current threat landscape, and
• Prearranged third-party forensic and incident management services

Driving Compliance Through Technology

Learn how automation and documentation can improve your financial
institution’s compliance posture

The Keys to Cyber Resilience

Prevention and recovery are the keys to being truly cyber resilient! Cyber threats will continue to challenge financial institutions, but having the proper preventive and corrective controls in place can greatly minimize the impact. Cyber resilience requires banks to bring together all the areas of information security, business continuity, vendor management and incident response in a coordinated effort.