Putting the Cyber in Operational Resilience

February 16, 2021

The pandemic has made it clear that lines are more blurred than ever when it comes to identifying what defines a business continuity event, a crisis management event, or a cybersecurity event.

Moving forward, if to truly achieve operational resilience, organizations need robust technology that can continuously monitor for problems, plans that support resiliency improvements must be prioritized, and incidents need coordinated response actions among all key stakeholders, from customers to partners to employees.

Cyber threats are keeping the IT risk community on high alert. From attacks on healthcare organizations, government, businesses, and municipalities, one of the fastest-growing threats in cybersecurity – ransomware – is leaving almost no industry spared. The U.S. Treasury recently warned that companies that help facilitate the payment of ransoms on behalf of cyber victims could face legal consequences because it sets a precedent for other bad actors, sending the message that they’ll get what they want. “What we’re seeing more often is that valuable intellectual property and sensitive information isn’t just being encrypted and held for ransom. Encrypted versions of that data are also being posted online, with the threat that if a ransom is not paid, all of the data will be released for public access,” noted Security Magazine.

Malicious cyber activity isn’t slowing down anytime soon, with the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) warning at the end of December 2020 that “cybercriminals, including ransomware operators, will continue to exploit the COVID-19 pandemic alongside legitimate efforts to develop, distribute, and administer vaccines.” Stating that it’s “aware of ransomware directly targeting vaccine research,” FinCEN urges financial institutions “to stay alert to ransomware targeting vaccine delivery operations as well as the supply chains required to manufacture the vaccines,” as CyberNews reported in a look at cyber threats for 2021.

The recent cyberattack against a water treatment plant in Florida also reinforces that business continuity, cybersecurity, and crisis management should not be working in silos. The fallout is too great and potentially damaging to your organization, your stakeholders and your reputation.

So how can BCM professionals better identify and holistically manage a disruption to the business? Let’s first start by asking a few questions to help see how your department fits in with the objectives of the business as a whole.

  1. Does your BCM department align directly to the mission and values of your organization?
  2. Does your department solve problems for senior management?
  3. Most departments demonstrate their value by quantifying their ROI for management. Does your BCM department show its value to your senior team?
  4. Does your department know the variety of problems that the C-suite wrestles with? What keeps them up at night?
  5. Are you reporting on items that management finds relevant? When you present metrics, are you properly quantifying how the BCM practice can impact or guide the organization through these relevant issues?

A one-size-fits-all business continuity methodology won’t cut it today, especially in industries like healthcare where there’s little tolerance left for fighting another crisis incident on top of the pandemic.

The key to improving operational resilience is to always look forward. Resilience is not tactical but strategic; if BCM leaders only look back in time to how to better respond to an incident that has already taken place, we are guaranteed to fail when the next unknown arrives at our doorstep. And there will always be a next unknown. Preparing a cross-functional response team to address the overlaps between business operations, information security, and workforce and workplace health and safety so that a crisis incident can be managed holistically.

A new framework for operational resilience

Let’s take a look at the financial services industry for an example of how to rethink that path to resilience. After network outages within the financial institutions of Royal Bank of Scotland and TSB led to an investigation of the UK financial industry, the Bank of England (BoE), Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) developed a standard for operational resilience. These guidelines are, in fact, reasonable steps that any company in any industry can exercise to improve the resilience of their software systems.

Here are the standard’s five steps towards resilience:

  1. Identify critical business services based on those that end-users rely on most. Focus on the services that serve external customers; by applying a customer-centric approach, it’s easier to determine where to boost your reliability efforts.
  2. Set a tolerance level for the amount of outage time during an incident that is acceptable for that service, based on what utility the service provides. The paper recommends setting impact tolerances and measuring the maximum level of disruption to an important business service, including the maximum tolerable duration of a disruption.
  3. Test to learn if the business is able to stay within those acceptance levels over a period of time during real-life scenarios. By performing failure scenarios as seen by your company or others in the industry, you can better assess how your system handles disruption.
  4. Involve management in the reporting and sign-off of these thresholds and tests. Impact tolerances provide a clear metric that can be reported to management so they can better determine and prioritize areas for improvement.
  5. Take action to improve resiliency against different scenarios where feasible. Once a system weakness is identified, it’s imperative to correct any flaws or weaknesses based on severity, then rerun your testing to make sure it’s all running smoothly.

It’s worth noting that while this new standard of resilience was originally intended for British financial institutions, like any innovative standard or guideline, it will almost certainly evolve and expand as it’s adopted by different industries and could inspire other types of regulation for resilience. For example, the UK’s General Data Protection Regulation of 2016 influenced the development of the California Consumer Privacy Act (CCPA) in 2018.

The path to resiliency

What the UK’s financial services regulators’ proposal for operational resilience gives BCM professionals is a lens through which we can assess impact tolerances and lead to a more coordinated response that cuts across verticals of risk.  An integrated approach to risk and resilience delivers a wider umbrella of coverage since as we know today, a cyber threat could be an operational crisis, a business continuity event, or even a workforce health and safety issue. And as our experiences in strengthening operational and cyber resilience have shown us recently, it’s likely all three.

 


Hear more from our experts

Previous Article
The Global Impact of BoE's Operational Resilience Deadline for Financial Institutions
The Global Impact of BoE's Operational Resilience Deadline for Financial Institutions

UK regulators have set a March 2022 target for banks and financial services organizations to meet business ...

Next Article
Five Compliance and Risk Predictions for 2021: Be Prepared for Anything
Five Compliance and Risk Predictions for 2021: Be Prepared for Anything

The pandemic didn’t change the risks companies face, it simply added new ones. Flexibility, vigilance and p...

Measuring Recovery at the Velocity of Risk:
Learn how a balanced risk management scorecard can help you move beyond Covid

READ WHITEPAPER