In our last Compliance Advisor blog post, I explained why a modern business continuity plan (BCP) must account for the critical role of data in today’s banking environment. We also went over the factors that should be a part of your formal threat analysis. Let's continue looking at a modern BCP.
Consider Cyber Insurance
The FFIEC indicates that the primary objective of the risk management BCP phase is to identify, assess and reduce risk to “an acceptable level.” A key component of this phase is an analysis of the adequacy of insurance coverage. Today more than ever, an evaluation of existing and available insurance policies is necessary. As some organizations have learned the hard way, general liability and other traditional insurance policies often do not cover business disruptions or data breaches as a result of cyberattack.
The FFIEC recently issued a Joint Statement on Cyber Insurance and Its Potential Role in Risk Management Programs to call attention to this type of coverage. The statement explains that cyber-insurance options vary, but fall into two categories:
- Special endorsements to traditional policies: Additional coverage that is specifically outlined in a general liability policy to protect against a business disruption and/or data breach.
- Standalone cyber policy: A policy whose sole function is to protect against a cyberattack.
In addition, the FFIEC advises institutions to think about the fact that most cyber-insurance policies specify who is covered. Make sure to consider first-party coverage, which insures your institution against direct cyberattack expenses, possibly including customer notification, event management, business interruption and cyber-extortion costs. In addition, think about third-party coverage, which protects customers whose data is compromised and/or partners and vendors that house your data and experience a cyberattack.
The main reason banks forego cyber-insurance is the additional cost. But as the Ponemon Institute’s 2017 Cost of Data Breach Study shows, the costs resulting from cyberattacks soar much higher. The global study notes the cost of a data breach is highest in the United States, where such incursions cost study participants an average total of $7.35 million. Additionally, the financial services industry has the second highest cost per lost or stolen record at $245.
Simplify BCP Testing
Finally, rethink the last phase of your BCP process, which is testing your plan. Conducting one large-scale BCP test at annual or semi-annual intervals is becoming anachronistic as the massive scope of such tests are difficult to manage and the results hard to discern.
Instead, the modern BCP narrows the scope of testing while increasing its frequency. It is now a best practice to conduct small, function-specific tests on a monthly or quarterly basis, starting with the most critical functions and working your way down the list. Over time, the accumulation of these individual tests creates a more accurate picture of your BCP’s overall effectiveness.
Continuity Is the Key to BCP
In addition to these modern hallmarks, consider this perspective on modern-day business continuity from technology expert Randy Johnson in an article for Accountex Report: “A good rule of thumb is that while disasters statistically happen to less than 1% of all businesses in any given year, events that lead to the need for business continuity happen to almost every business every year.”
Steve Gasiamis serves as a virtual chief information officer for CSI. Steve has more than 15 years’ experience in the information security industry, and he is highly skilled in risk assessments, business continuity and IT compliance requirements for the financial services industry. His professional certifications include Certified Information Systems Security Professional (CISSP), Certified Risk & Information Systems Control (CRISC), Certified Information Systems Manager, (CISM) and Cisco Certified Network Associate (CCNA).