The developing COVID-19 pandemic serves as a reminder to our industry of the importance of business continuity planning (BCP). It is not just worldwide health pandemics that should prompt businesses to create and maintain a BCP—natural disasters and other unexpected events also reemphasize the importance of preparedness.
Most institutions likely follow the Federal Financial Institutions Examination Council’s (FFIEC) recommended BCP process, which includes a business impact analysis (BIA), risk assessment, risk management and risk monitoring and testing. And despite the FFIEC’s 2019 updates, some financial institutions are still behind.
Is your institution’s BCP up to date? Ensure your organization is ready for the business landscape of the digital age by using these best practices. And don’t forget to review your plan with industry professionals who can evaluate your completed plan.
Protecting Your Data
While threats of physical loss or disruption caused by pandemics and natural disasters indeed pose risks, other threats to business continuity include disruptive data loss, breach or corruption—and these threats could affect any geographic region at any point in time.
A modern BCP must account for the critical role of data in today’s banking environment, beginning with your BIA, which assesses and prioritizes all business functions and processes. To protect your institution from the impact of data being lost, breached or corrupted, make sure these elements are included in your BIA:
- Classifying Data: Data classification can be cost prohibitive, especially for community banks. At a minimum, your institution must understand what data you have, what data is critical, where it is stored, how it is protected and how it can be recovered.
- Data Flow Diagrams: This diagram is a visual representation of your data, showing how and where it enters, flows through and exits your institution. The diagram is vital to your BCP and should be revised every few years or when introducing new business processes or lines of business.
- Security: Your BCP should reference your network segmentation policy, which should limit the access and movement of your data, as well as your data backup policy, to eliminate any unnecessary connections into or out of your backup storage site—especially crucial in the event of a ransomware attack.
Assessing Your Risks and Threats
Conducting a risk assessment is the next phase in the BCP cycle, during which the FFIEC recommends institutions develop scenarios of threats that could pose disruption to business processes and continuity. Institutions should develop a formal threat analysis to assess how a variety of risk factors, including regional location, terrorist plots and environmental factors, increase the likelihood of business disruption at each location.
The frequency of such formal threat analyses should be determined by prevailing conditions: every 18 to 24 months when things are stable and 6 to 12 months if change is occurring in any of the above factors. It is also important to conduct a formal threat analysis of your main location and disaster recovery sites and on any internal or external sites that house critical data and backups.
Evaluating Cyber Insurance Options
The FFIEC indicates that the primary objective of the risk management BCP phase is to identify, assess and reduce risk to “an acceptable level.” A key component of this phase is analyzing the adequacy of insurance coverage, which is especially important in today’s digital environment. As some organizations have learned the hard way, general liability and other traditional insurance policies often do not cover business disruptions or data breaches as a result of cyberattacks.
In 2018, the FFIEC issued a Joint Statement on Cyber Insurance and Its Potential Role in Risk Management Programs to call attention to this type of coverage, explaining that cyber insurance options vary but fall into two categories: special endorsements to traditional policies or standalone cyber policies.
In addition, the FFIEC advises institutions to remember that most cyber insurance policies specify who is covered. Make sure to consider first-party coverage, which insures your institution against direct cyberattack expenses, and third-party coverage, which protects customers whose data is compromised and/or partners and vendors that house your data and experience a cyberattack.
Testing Your Plan
The last phase of your BCP process shouldn’t be overlooked, as testing your plan is integral to preparedness. Modern BCP narrows the scope of testing while increasing its frequency. It is now a best practice to conduct small, function-specific tests on a monthly or quarterly basis, starting with the most critical functions. By accumulating these tests over time, your institution will have a more accurate picture of your BCP’s overall effectiveness. The increase in flexibility and resiliency that testing provides, coupled with a robust infrastructure, goes a long way in weathering or outright avoiding many issues.
Planning for a Pandemic
Pandemics are about people. They are, by their nature, an HR issue more than a technical one. Technology is merely a facilitator, and most of the tools and means of mitigating pandemics need to be built out in advance of the incident. Nevertheless, when a pandemic hits, it presents unique challenges to financial institutions and continuity planning. When planning for a pandemic, remember the importance of flexibility, as your institution will likely have to adapt to new information and mitigate evolving risks. The FFIEC recommends financial institutions consider including the following in a pandemic plan within their BCP:
- A program to ensure continuity of services that includes monitoring of outbreaks, development of communication plans for employees and third-party service providers, procurement of supplies for appropriate hygiene, etc.
- Strategies that provide for scaling of the institution’s pandemic efforts, including plans for preparation for potential following wave(s).
- A framework for systems and procedures that allow the organization to continue its operations if essential staff members are unavailable to work, including work-from-home policies, redirecting customers to electronic banking services or alternative operations sites.
- A testing program focusing on procedures to ensure continuity of critical operations and services.
As the recent COVID-19 outbreak has shown, business disruptions can occur quickly and without much warning. So, it is in the best interest of your institution to be prepared with an effective BCP.
Steve Ward has more than 28 years of experience in the technology sector, 13 of which he spent working directly with community banks, and currently serves as CSI’s vCIO manager. In his role, Steve partners with organizations to understand their strategic IT objectives and makes recommendations that align with their business goals.