Operational resilience has emerged as a key area of focus for supervisory authorities and financial institutions. As the financial services sector continues to experience cyber incidents impacting multiple firms, policymakers and institutions are asking: How does my organization rapidly and safely recover from a cyber incident?
Related: Reviewing the 2023 Cybersecurity Landscape
At the same time, the financial services industry continues to undergo significant technology modernization providing new products and enhancing or expanding existing offerings. When considering this landscape, emerging technologies have provided new finance streams, expanded financial services to unserved and underserved communities, increased credit and lending opportunities for small and medium businesses, and enabled new market entrants. These advancements have also lengthened the supply chain used to deliver financial services and have contributed to the growing interconnectedness of the financial markets which could also introduce new risks.
To address growing cyber threats and their potential impacts on a significantly interconnected financial services sector, financial authorities have partnered with standards bodies, financial trade associations, and institutions to develop a framework that enhances the industry’s preparedness for material operational events. As an example of the industry’s resilience partnership efforts, the Digital Operational Resilience Act (DORA) represents a major step towards defining minimum controls and capabilities in the areas of cyber and ICT third-party risk management across the European Union and will help financial institutions strengthen their control in a core pillar of operational resilience. While DORA represents a significant and positive step forward, financial firms must realize that resilience is not solely an extension of business continuity or the result of strong IT and cybersecurity controls.
“Financial firms must realize that resilience is not solely an extension of business continuity.”
Business continuity and technology implementations support the delivery of resilient operations, with business areas playing a pivotal role in the delivery and sustainability of resilience across a number of functions. There are three (3) key pillars in firm’s resilience frameworks where the level of business engagement is particularly important.
Critical Operations Mapping
First, financial institutions must document and agree a consistent view of the people, processes, technology, and third parties needed to deliver critical operations. Institutions rely on different business areas to deliver products and services, with each area having its own view on how products and services are delivered based on their responsibilities. Therefore, gaining an accurate view of dependencies, across functions, will require each group to validate its role in the delivery of services. These business maps will assist organizations with understanding the true impacts of a material operational event and the potential cascading effects to other critical operations.
Second, no financial institution wants to experience an operationally impacting incident. However, experiencing these events without the benefit of previously exercising an organizational response only serves to increase the severity of the impact. Tabletop exercises should facilitate the business’ thought process around decision-making, decreasing the operational friction that may arise when an incident occurs. Further, these exercises help the business understand where recovery is within tolerance and where additional capabilities may be required.
Third, the development of new capabilities is at the heart of any resilience strategy and separates resilience from risk management. Building capabilities requires business areas’ support to drive integration and to validate and test solution effectiveness. By building capability, firms can close the loop and bring the business within its tolerance for disruption for certain extreme but plausible events while providing reasonable assurance for rapid and safe recovery strategies.
Resilience is more extensive than business continuity, cybersecurity, or IT solutions and more important than ever as the cyber incident and technology landscape continues to evolve. The successful delivery of threat impacts to business operations, determine current capabilities to address those impacts, and gain the business insights necessary to build new capabilities and enhance existing processes.
Institutions relying solely on IT or business continuity to deliver on operational resilience may ultimately find themselves ill-equipped to execute on their resilience expectations.
It is incumbent on financial institutions to develop the governance models necessary, across their entire organization, to deliver on resilience for the benefit of the individual firm and the entire financial services sector.
This article was originally published to Views The EUROFI Magazine in April 2023.