Cyber threats forcing business continuity overhaul

Communications need close attention when firms are attacked, conference hears

image-of-a-hacker-cybersecurity
Cyber risk tops list of business continuity threats

Cyber threats should be top of the list of business continuity threats for financial companies and must be incorporated into their resilience plans, delegates at the OpRisk North America conference in New York heard today (March 16).

"Everyone has some version of cyber on the list," said John Ginelli, head of retail control at investment manager Vanguard. "Vanguard is a virtual company – we don't have a bricks and mortar presence, we communicate with our customers by phone or by email – so that is a huge risk for us."

Communications with customers and even the media are a vital part of the business continuity plan (BCP), he added. "We need to know what message we will share. The press has become a lot more interested in cyber – what do we tell them and when? PR has become part of our business continuity plans more than ever before."

Bob Passini, chief resiliency officer at insurer and mutual fund manager The Hartford, also highlighted the importance of communications in business continuity planning. "The ability to communicate out-of-band is vital. You need to ask if you have those tools," he said.

Ken Radigan, a special assistant to the board of loss data consortium Oric International, added: "You need to look at internal and external communications separately. Who do you need to communicate with and how? It will depend on the details of the actual crisis. Is there no internet? Is there no cellphone network? Maybe you can use radio? This all needs to be articulated in advance."

Senior management should also lay down guidelines on the trade-off between using secondary communications systems that might not be as secure, and maintaining customer service and internal communications where possible. "Controls are not always as good on backup systems, so when you have an outage you become more vulnerable to fraud. And your plan needs to address this," warned Vanguard's Ginelli.

Trading over mobile phone connections would typically be less secure than using the primary system, for example, but it might still be worth taking the risk rather than suffering losses from halting operations. This was especially true when it came to long-duration business interruptions; Hurricane Sandy in October 2012 illustrated the potential for a natural disaster to bring down operations for weeks or months, rather than days, the panel pointed out.

Business continuity and resilience planners also need to pay close attention to vendors, delegates heard. "Vendors become an extension of your businesss. We think about them as another location of our company," The Hartford's Passini said. "Active management is critical – there is a tendency for them to say, 'Don't worry, everything is fine', but you need to test them. You also need to look at concentration risks, geographic concentration and so on. Best practice is to invite them into your BCP exercises, and also to test their capabilities directly yourself."

Oric's Radigan and Vanguard's Ginelli agreed on the necessity of testing third-party BCPs directly, and added that restrictions on the use of fourth-party suppliers and contractors should be clearly written into contracts in advance. "You need to know their practices around vendors: how much due diligence do they do on vendors? Because it may not be at the same level as the due diligence you do," Ginelli added.

The operational risk team needs to involve itself both before and during a business continuity event, Radigan emphasised. "If the BCP is written by a committee, then operational risk needs to be on that committee," he said. "If not then they need to review and approve it – because they are the ones with the best knowledge of the business's processes."

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe

You are currently unable to copy this content. Please contact info@risk.net to find out more.

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here