A vital component of our nation’s critical infrastructure is the financial services sector, and risk management professionals in this industry understand the importance of protecting an organization against cyberattacks. Recent cyber disasters like the Equifax data breach serve as a sour reminder that it’s not enough to just respond; an organization must have a defined program to protect the business in the face of unrelenting hackers and attackers.
Risk management professionals can take the following proactive steps to protect their organizations and ensure an effective business response when cyber crises strike:
Before building a cyber-crisis plan, the organization must define the levels of acceptable — and unacceptable — risk for operational disruption in each area of the company, and identify the strategies and investments needed to achieve and maintain tolerable levels. While data protection requirements are absolute, the balancing act between operational resilience versus tolerable service outages or business downtime is necessary; vulnerabilities and threats are endless, but the funds to address them are not.
Cyber-crisis plans need to be developed and maintained in alignment with the requirements and cadence of the organization’s business continuity and disaster recovery programs. A comprehensive approach to an overall program enables risk management professionals to work in tandem with IT, security and business continuity teams to ensure all parties have the same understanding of the cyber-crisis plan, and that it has been well tested and shows readiness and maturity. Such capabilities come only by starting with well-aligned resources and a comprehensive approach.
The goal is to understand current capabilities from an operational perspective: if a cyber-threat occurs, how are business operations impacted? A thorough process includes determining whether there is an end-to-end system in place to ensure the protection of all identified data assets.
What gaps have been identified in technologies, facilities, third parties, processes and people? How do they impact prevention, response and recovery? Does the cyber-crisis plan address all the major types of cyber vulnerabilities, with an understanding of the potential outage durations and recovery time objectives? While business continuity and IT disaster recovery plans address business impact, cyber threats represent very different types of disruptions than have typically been considered in traditional plans.
A plan should establish a management methodology for how all employees conduct themselves during a cyber crisis. Establish when and how to create a command center to respond to the crisis on a reactive level, with IT physically working to secure information and back up data — but don’t forget about the communications aspect of the plan.
In compliance with regulatory requirements, and as a good business practice, there must be defined processes to notify employees and stakeholders — as well as customers and external entities — of a disruption, outage or breach. One of the toughest — but most important — aspects of a cyber event revolves around (1) who alerts customers; (2) who speaks to the media; (3) who works with authorities; and (4) when each of these activities should happen. Response times and the messaging can impact the business more than the actual event.
It’s crucial to understand the scope, preparation and identification of the various types of issues that can occur. An organization must effectively orchestrate its response based on each scenario, assigning specific actions to specific individuals as the situation requires.
In the financial sector, three main events to plan for include ransomware attacks, data corruption and data breaches/information theft. All of these scenarios require specific procedures and steps to ensure the proper response — and a swift recovery — for customers and stakeholders, the business and the brand.
It’s not enough to have a plan on paper; an organization must establish and continuously maintain capabilities to ensure an effective response, and the way to do that is to test it.
Plan tabletop exercises to ensure people are ready, putting responsible teams and individuals in a room and testing their ability to react to various scenarios. Exercise multiple plans under given scenarios to ensure disparate groups will work together in a coordinated response. Run simulations to fully exercise the crisis command center with all of the plans and associated groups involved.
Moreover, consider coordinating recurring cyber-security awareness training for your organization with these tabletops, exercises and simulations.
A cyber-crisis plan is not solely IT’s responsibility. To guarantee that people are well prepared when called upon to act, and to ensure an effective response within tolerable levels of risk and business impact, risk management professionals must establish and maintain a comprehensive program across all affected business areas.
Cyber risk management is not an optional activity. It is a critical area that needs to be planned for, governed and exercised — and must be one part of an organization’s overall risk management strategy.