Institutions Must Keep Up with Changing Times
Volcanic eruptions in Hawaii, raging wildfires in at least 10 states, and the start of the Atlantic hurricane season should serve as reminders to our industry of the importance of business continuity planning (BCP). But because there have been no recent changes to the Federal Financial Institutions Examination Council’s (FFIEC) Business Continuity Booklet, some financial institutions may have fallen into static BCP routines.
More than likely, your institution follows the FFIEC’s recommended BCP process—business impact analysis (BIA), risk assessment, risk management and risk monitoring/testing. But has the way in which your institution conducts this process remained unchanged over the years? Such complacency poses a problem because the business landscape in the digital age has changed considerably, even if regulatory requirements have not.
Given this dichotomy, it is time to update your BCP with these modern hallmarks.
Understand Your Data
When the FFIEC first addressed business continuity, institutional BCPs were primarily focused on physical loss or business disruption caused by natural or man-made disasters. Of course, that is still a risk, but today a larger threat to business continuity looms. Disruptive data loss, breach or corruption threatens every financial institution, in every geographic region, every day of the year.
A modern BCP must account for the critical role of data in today’s banking environment, beginning with your BIA, which assesses and prioritizes all business functions and processes, including interdependencies. Data availability and accuracy has arguably become one of the most critical interdependencies of every bank function.
To protect your institution from the impact of data being lost, breached or corrupted, add these elements to your BIA:
- Data Classification Policy: Identify and classify all data based on its sensitivity and criticality levels. Tech Target recommends that data “be labeled with a ‘risk-level’ that determines the methods and allowable resources for handling, the required encryption level, and storage and transmittal requirements.” It also provides a three-tiered classification system as an example:
- Public Data: Available to and intended for public disclosure.
- Business Use Only Confidential Data: Applicable to internal functions but its disclosure would not cause significant or irreparable harm.
- Confidential Data: Sensitive business, customer or employee data whose disclosure would “adversely affect an organization.”
- Data Flow Diagrams: This exercise yields a visual representation of your data by showing how and where it enters, flows through and exits your institution. Such diagrams are particularly important now that the European Union’s General Data Protection Regulation (GDPR) has gone into effect.
- Security and Segmentation: Your BCP should reference your network segmentation policy, which should limit the access and movement of your data, as well as your data backup policy, to eliminate any unnecessary connections into or out of your backup storage site. This is especially crucial in the event of a ransomware attack.
Analyze Your Specific Threats
The next phase in the BCP cycle is a risk assessment, during which the FFIEC says that, “Institutions should develop realistic threat scenarios that may potentially disrupt business processes and their ability to meet clients’ expectations (internal, business partners, or customers).” In today’s environment, this should include the following assessment of every internal and external (vendor) location.
- Formal Threat Analysis: An assessment that considers how the following risk factors increase the likelihood of business disruption at each location, starting with cyber risk:
- Cyber interconnectivity: Keep track of all Internet connections at each site and consider any factors that increase a particular site’s threat from cyberattack.
- Regional location: Consider natural disaster-prone areas, such as sites located in coastal states subject to hurricanes and other storms, or those where wildfires are known to occur.
- Terrorist plots: Stay tuned to federal and local terrorism alerts, especially for sites located in high-value targets, such as New York or Washington, D.C.
- Environmental factors: Think about nearby facilities that could pose an environmental threat, such as natural gas, chemical plants or nuclear power plants.
- Transportation accidents: Gauge the impact of severe accidents at or on nearby transportation points, such as airports, railways or interstate highways.
- Internal atmosphere: Take into account corporate instability, such as layoffs or other significant changes, that could increase the risk of insider sabotage.
- Health issues: Note how well the areas in which your institution is located are prepared to handle disease epidemics or pandemics.
- Local conditions: Think about the particular risk factors of each site’s local vicinity, such as high crime, new construction, civil unrest, etc.
The frequency of such formal threat analyses should be determined by prevailing conditions: every 18 to 24 months when things are stable and 6 to 12 months if change is occurring in any of the above factors. And make sure to do a deep-dive formal threat analysis on your main location and disaster recovery sites, and on any internal or external sites that house critical data and backups.
For more features to consider adding to your BCP, read part two of this blog series.
Steve Gasiamis serves as a virtual chief information officer for CSI. Steve has more than 15 years’ experience in the information security industry, and he is highly skilled in risk assessments, business continuity and IT compliance requirements for the financial services industry. His professional certifications include Certified Information Systems Security Professional (CISSP), Certified Risk & Information Systems Control (CRISC), Certified Information Systems Manager, (CISM) and Cisco Certified Network Associate (CCNA).