The Best Defense is a Plan C

From increased connectivity, cross-border transactions, and use of mobile devices to new market entrants and highly sophisticated adversaries, the probability of a devastating cyber attack that takes out an institution’s operations, once virtually nil, is increasingly likely.

While the potential impact on an individual institution has always been large, the consequences for the highly interconnected and interdependent global financial system are also increasing. Very quickly, an extreme event affecting one large institution or even a few small ones can ripple across the globe, causing widespread disruption and potentially a public confidence crisis that could cripple the global economy.   

Most Chief Information Security and Chief Risk Officers will say that they are prepared for almost any extreme event that could occur; after all, it’s their job. But ask the same executive if they believe that all their fellow CISOs and CROs are just as prepared, and the answer is probably not. The reality is that no one institution can foresee every possible threat, as evidenced by the massive impact COVID-19 is having on the entire world in such a short time.  

Our Own Protections Can be Used Against Us 

Traditional risk mitigation approaches such as business continuity and disaster recovery plans are primarily focused on ensuring backups and redundancies of computer systems. To date, they have largely been effective, so effective that many institutions run their main systems and backups as “hot-hot” duplicates. This means that if the primary system fails, the other will step in seamlessly. However, this practice has also created a new attack pattern: data destruction or malware introduced into one system, perhaps by a clever hacker or disgruntled employee, can potentially corrupt the other. Solely focusing on continuity and recovery of backup systems is no longer enough to protect against sophisticated cyber attacks. 

In the past, bank branches received account balance reports every night, and customers even had passbooks stamped by the bank with their last transactions. There was a paper trail to follow if the system went down. But nowadays, with our decreasing reliance on cash and nearly everything digitized, in some ways we are more vulnerable than we once were. Even in the worst case scenario, where a regulator like the FDIC in the US takes over a failing bank to distribute customers’ insured account balances, what happens when no one knows who has what account or how much is in an account because the data has been corrupted or destroyed? 

A New Paradigm: From Systems to Services 

Recognizing this vulnerability, the industry and its regulators are increasingly focused on a new paradigm: operational resilience. The idea is that firms must have alternate ways of delivering critical business services if their main systems go down for any reason, such as a cyber attack or extended power outage.  

The term operational resilience gained momentum after a 2018 Bank of England white paper called on institutions to define the critical business services they provide, prioritize them, devise a plan for keeping them operational no matter what, and prove that the plan works through testing. The concept has caught on with financial regulators around the world, some of whom have issued guidance to examiners (such as in the US) and some introducing rules to ensure institutions do indeed have tested plans for maintaining critical business services in the face of operational outages. 

The critical services themselves differ across institutions, from banks to brokerages to insurance companies, with larger institutions also playing key roles in financial infrastructure such as processing payments and clearing trades that are fundamental to the system. Therefore, each institution must define, prioritize, and plan for itself. 

However, two key services are critical to nearly all institutions in order to maintain public confidence in the system at large. One is that account holders must be able to see their balances. The second is that they must be able to access at least some of their funds.  

An Operational Resilience Use Case 

Sheltered Harbor, a subsidiary of FS-ISAC, was founded precisely to address the scenario in which an institution’s systems are unavailable for an extended period due to a cyber attack or other operational outage. It emerged out of a series of public-private exercises in 2015 (three years before the Bank of England’s white paper on operational resilience) where the industry and government recognized that an extreme event like a disabling cyber attack was a threat, not only to individual institutions but to the financial system at large. 

Developed by hundreds of subject matter experts from the industry, the Sheltered Harbor solution is a set of standards for institutions to follow to achieve operational resilience of these two critical business services. The first component is a data vault, where key customer account data is backed up in an offline, untouchable archive every night. The second is a resiliency plan to ensure that customers can access at least some of their funds while the business continuity and disaster recovery plans are implemented to get the institution’s systems back up and running. The standards include adherence guidelines and certification upon proving implementation of each of the components.  

Extreme Events and the C-Suite 

Since Sheltered Harbor’s inception, the likelihood of extreme events has only grown. The NotPetya virus hit large institutions like Maersk, Federal Express, and the United Kingdom’s National Health Service in 2017. While not financial institutions, these are large organizations with highly developed business continuity and disaster recovery plans – yet they were faced with a scenario for which they were essentially not prepared. More recently, tensions between the US and Iran and the recognition of Iran as a highly capable cyber adversary raised the likelihood even further. And the impact of COVID-19 on the financial system and global economy is still unknown. 

With the focus moving from standing up backup technical systems to resilience of critical business services, there is also a shift in focus in the C-suite. Now more than ever, we are seeing that if an extreme event occurs and the institution is not prepared, the CEO is held accountable. This means that boards and the non-technical C-level executives need to prioritize operational resilience and task their teams with implementing the plans necessary to protect not only themselves, but the global financial system as a whole.