Martin Lewis, Availability Services Manager, Daisy
According to a study from the Bank of England last year, almost three-quarters of senior executives believed that cyber attacks posed the highest threat to the UK financial industry. This is hardly surprising as an attack on a financial services provider can be particularly profitable for threat actors, considering the highly sensitive data that firms hold and the critical nature of services they provide.
Despite the risk, many in financial services do not feel adequately prepared. In fact, KPMG’S Cyber Security: 2022 Banking Industry Survey, found that 43% of senior executives do not believe banks are properly equipped to protect customer data, privacy, and assets in the event of a cyber attack. Given the financial, reputational and legal ramifications of an attack, it’s imperative that financial services providers have continuity strategies in place to mitigate risk and minimise impact. But where should they start?
Assess the risk
Financial services providers should start increasing their cyber resilience by carrying out a comprehensive risk assessment.
A risk assessment seeks to evaluate potential threats within the organisation’s framework. With assets in the financial sector including sensitive data, trading platforms, communication networks, data centres and physical facilities, a risk assessment helps financial services providers identify possible vulnerabilities across a diverse range of infrastructures.
This process can be carried out through a business impact analysis (BIA), which pinpoints critical business processes, how they connect with one another, and determines the potential impact of a disruption.
The importance of identifying and protecting these key processes for financial services providers is highlighted by the Prudential Regulation Authority’s (PRA) recent operational resilience policy. This calls for firms to identify their Important Business Services (IBS), and then set their impact tolerances – a breakdown of clear, time-based metrics and thresholds that they must stay within if disruption to IBS occurs.
By 2025, firms will have to be able to prove they can remain within those tolerances no matter the incident. As well as meeting these requirements, identifying IBS and the critical dependencies that support them is crucial to helping businesses to understand the key areas that firms should focus their preservation and revival efforts on in the event of a cyber attack.
Proactive risk assessment, BIA implementation and IBS identification offers financial services providers a head start in the race against cyber attacks. The more adept a business is at identifying risks to critical business processes the better they can mitigate them, helping to protect both the organisation and customers alike.
Making a plan
The next stage in increasing cyber resilience is building effective, practical, long-term plans. These plans – encompassing crisis management, business continuity, and disaster recovery strategies – are helpful in enabling informed decision-making across a range of plausible scenarios and ensuring specific situations have a specialised response.
A crisis management plan provides guidelines for communication, escalation and immediate actions should there be an unforeseen incident. A business continuity plan outlines how an organisation will restore their critical functions and operations to predefined levels following a disruption. While a disaster recovery plan focuses on restoring critical technological components and outlines steps to swiftly recover IT services and communications systems following any disruption or outage.
These plans must be continuously tested for all eventualities. To meet this challenge, many financial institutions should opt for external solutions to bolster their preparedness. This involves tapping into the talent of industry-experts who are able to manage entire continuity plans and alleviate the challenges of in-house management.
While technical security measures are important, it’s an unrealistic and costly misconception to assume they prevent all cyber attacks. In the event of a cyber attacker breaching security measures, financial services providers must be ready for the ‘what if’ scenario, ensuring you have well-orchestrated plans in place to contain threats, minimise damage, and get back on your feet.
At a time when financial services providers are facing increased exposure to cyber threats, it is essential that they are effectively anticipating, and mitigating potential attacks. Business continuity strategies, such as risk management and resilience planning, can help companies to identify potential business vulnerabilities and plan how best to protect critical functions and operations. Ultimately, through prioritising prevention and resilience, financial services providers can safeguard their digital assets, ensure profitability, and maintain customer satisfaction, in an ever-evolving financial landscape.
