Managing enterprise-wide operational resiliency has historically been a complex problem for Financial Service Institutions (FSIs). One year ago, the European Commission
announced plans to establish a
Joint Cyber Unit to tackle serious cyber incidents impacting national infrastructure and businesses across the EU. There are many kinds of cyber incidents that can stop day-to-day operations in their tracks – cyberattacks, technology failures and natural disasters are all risks. To maintain business resiliency following an operational disruption, firms need to plan, adapt, and take positive action to recover with rapid data restoration.
Operational resilience requires a unified application availability and business resiliency strategy that spans all business applications. Historically, strategies have often been about deploying multiple independent solutions. This can sometimes lead to increased exposure to disruptions due to there being more risk of holes in the system. A different approach is needed.
There are multiple ways to develop a robust strategy and here are some of the top guidance points:
1. Review business continuity practices on a regular basis
This is an important step to check that the FSI withstands any potential disruption caused by a cyberattack such as ransomware. Measures can be introduced to test that contingency strategies remain consistent with current operations, risks and threats, tolerance for disruption, and recovery priorities. Putting in place functional testing procedures for assessing the ability of a firm’s IT systems to deliver minimum service capacity to critical operations and core business lines is consistent with a firm’s business continuity objectives to avoid downtime and potential loss of revenue.
2. Undertake regular scenario testing
Scenario testing can be used on a periodic basis to test an FSI’s ability to resist a cyberattack and to test cyber resiliency. By testing impact tolerances (setting the maximum tolerable level of disruption to a critical business service), recovery and response times can be monitored to check that they will be fast enough to not expose different types of vulnerabilities in the IT infrastructure. Caution needs to be taken when testing any IT systems to limit the risk of disrupting an entire chain of activities that are critical business services.
In addition, testing and retesting data protection policies and systems is of paramount importance for organisations to be able to demonstrate that they are taking their security obligations seriously and that their policies will deliver when it counts.
3. Use and maintain updated IT systems
Not only do IT systems need to be updated with the latest software but they also need to be compliant with the latest regulations. For example, according to the regulations outlined by the EU Commission, IT systems need to be updated (such as backup to the cloud) and checked to make sure that they are appropriate to the demands of their critical operations and services. These systems should be reliable, have sufficient capacity to meet the varying demands of the services and be technologically resilient to deal with stressed market conditions, especially where an exit from a managed service provider or cloud service provider is required.
The UK Prudential Regulation Authority also states that companies must set impact tolerances at the point at which any further disruption to the critical business services would risk their ability to provide the services. The tolerance must include a time-based metric to measure the level of disruption, which will trigger the appropriate recovery operations.
4. Monitor IT systems
The chosen monitoring solution should be advanced enough to be able to detect anomalous activities to minimise the impact of any operational risks. This will require FSIs to implement dedicated and comprehensive IT business continuity and backup and recovery solutions to ensure the resumption and or restoration of IT systems with minimum downtime, quick recovery and limited disruption. Monitoring systems isn’t enough; alerts should be set up so that IT teams can be notified if there is any disruption to the IT systems 24/7.
5. Identify and map important business services
This is an important step in the development of an operational resiliency strategy plan. It can include setting impact tolerances, defining plausible disruption scenarios, and testing against these, making compliance a non-trivial undertaking. These requirements are continual and include the following:
- Review all critical services, continue to assess their importance, and adjust accordingly.
- Continually review impact tolerances to ensure validity and acceptability.
- Repeatedly test, refine, and evolve plausible disruptive scenarios to reflect an ever-changing regulatory environment.
Maintaining operational resilience is not a one-size-fits-all approach; it is part of an ongoing strategy that evolves over time as potential threats emerge and technology evolves on a continual basis. IT heads and CTOs working to protect their IT and security systems need to share strategies and tactics, to stay ahead of scheming cyber criminals.
Maintaining operational resilience also relies on an organisation’s wider stakeholder chain and as such cannot be found in any one single product, service or company; it should be part of a carefully developed plan that requires the expertise of multiple actors and solutions. Without a strong plan in place, UK infrastructure, businesses, and ultimately UK citizens will, unfortunately, bear the brunt of cybercrime.
- SEO Powered Content & PR Distribution. Get Amplified Today.
- PlatoData.Network Vertical Generative Ai. Empower Yourself. Access Here.
- PlatoAiStream. Web3 Intelligence. Knowledge Amplified. Access Here.
- PlatoESG. Automotive / EVs, Carbon, CleanTech, Energy, Environment, Solar, Waste Management. Access Here.
- BlockOffsets. Modernizing Environmental Offset Ownership. Access Here.
- Source: https://www.finextra.com/blogposting/24630/maintaining-an-always-on-and-ever-prepared-financial-institution?utm_medium=rssfinextra&utm_source=finextrablogs
- :has
- :is
- :not
- :where
- $UP
- a
- ability
- Able
- About
- According
- accordingly
- across
- Action
- activities
- actors
- adapt
- addition
- advanced
- against
- ago
- ahead
- Alerts
- All
- also
- an
- and
- announced
- any
- Application
- applications
- approach
- appropriate
- ARE
- AS
- assess
- Assessing
- At
- authority
- availability
- avoid
- Backup
- basis
- BE
- Bear
- been
- being
- business
- Business Applications
- business continuity
- businesses
- but
- by
- CAN
- cannot
- Capacity
- carefully
- caused
- caution
- chain
- check
- checked
- chosen
- Citizens
- Cloud
- commission
- Companies
- company
- complex
- compliance
- compliant
- comprehensive
- conditions
- consistent
- continue
- continuity
- Core
- Criminals
- critical
- Current
- cyber
- Cyberattack
- cyberattacks
- cybercrime
- data
- data protection
- day-to-day
- deal
- dedicated
- defining
- deliver
- demands
- demonstrate
- deploying
- detect
- develop
- developed
- Development
- different
- disasters
- Disruption
- disruptions
- disruptive
- do
- downtime
- due
- EC
- emerge
- enough
- ensure
- Entire
- Environment
- especially
- establish
- EU
- Europa
- European
- european commission
- ever-changing
- evolve
- evolves
- example
- Exit
- expertise
- Exposure
- FAST
- financial
- financial institution
- financial service
- Finextra
- firms
- following
- For
- found
- from
- functional
- further
- guidance
- Have
- heads
- here
- historically
- Holes
- HTTPS
- if
- Impact
- impacting
- implement
- importance
- important
- in
- include
- increased
- independent
- Infrastructure
- Institution
- institutions
- introduced
- IT
- joint
- latest
- lead
- Level
- LIMIT
- Limited
- lines
- loss
- maintain
- Maintaining
- make
- Making
- managed
- many
- map
- Market
- market conditions
- maximum
- measure
- measures
- Meet
- metric
- minimise
- minimum
- monitored
- monitoring
- more
- multiple
- must
- National
- Natural
- Need
- needed
- needs
- objectives
- obligations
- of
- often
- on
- ONE
- ongoing
- only
- operational
- operational resilience
- Operations
- or
- Organisations
- outlined
- over
- Paramount
- part
- periodic
- Place
- plan
- plato
- Plato Data Intelligence
- PlatoData
- plausible
- Point
- points
- policies
- positive
- potential
- practices
- Problem
- procedures
- Product
- protect
- protection
- provide
- provider
- Prudential
- Putting
- Quick
- ransomware
- rapid
- Recover
- recovery
- refine
- reflect
- regular
- Regulation
- regulations
- regulatory
- reliable
- remain
- require
- required
- Requirements
- requires
- resilience
- resilient
- response
- restoration
- revenue
- review
- Risk
- risks
- robust
- scenario
- scenarios
- security
- serious
- seriously
- service
- Service Provider
- Services
- set
- setting
- Share
- should
- single
- So
- Software
- solution
- Solutions
- some
- spans
- stakeholder
- States
- stay
- Step
- Stop
- strategies
- Strategy
- strong
- such
- sufficient
- sure
- system
- Systems
- tackle
- tactics
- Take
- taken
- taking
- teams
- Technology
- test
- Testing
- that
- The
- their
- There.
- These
- they
- this
- threats
- time
- times
- to
- tolerance
- top
- trigger
- types
- Uk
- Ultimately
- unfortunately
- unified
- updated
- used
- Vulnerabilities
- ways
- when
- which
- wider
- will
- with
- without
- working
- would
- year
- zephyrnet
