Is the Bank Cyber Resilient?
I have gathered some well tested questions to help a CEO (or anyone in a C-suite role) determine whether their organization is cyber resilient. The financial services sector is supposed to be among the most cyber-secure. Are we more cyber-resilient?
The Sheltered Harbor community has defined how a bank can prepare to survive a severe but-plausible event which causes loss of operational capabilities as well as loss of critical data. Financial regulators are looking for this type of resilience, yet many institutions are struggling to achieve it – often because they don’t understand what is involved.
I’ve had the benefit of working with scores of financial institutions and learning about their operational and cyber resilience programs. Consequently, I have gathered some well tested questions to help a CEO (or anyone in a C-suite role) determine whether their organization is properly prepared to survive a severe but plausible event. Unfortunately, I have met too many C-Level execs who have relied on responses to a limited set of questions to determine if their organization is prepared for a devastating cyber-attack.
A Bank CEO asks his COO if they are prepared for a significant cyber-attack. The COO responds, “yes, we just successfully ran our annual Disaster Recovery Test last month.” Double checking this answer, the CEO then turns to his CIO and asks whether the company could recover from a devastating ransomware attack, like the Colonial Pipeline event. The CIO assures the CEO that not only could this not happen to the Bank, but if somehow it did, they would detect it quickly and could recover lost data from their backups. Finally, the CEO asks the CISO to confirm the responses from the COO and CIO, and the CISO agrees with the responses. Happy with these responses, the CEO sleeps well at night until we meet to discuss cyber resilience.
I tell the CEO that I’m not so sure that they are truly cyber resilient, because I don’t know if the right questions have been asked of the people who would have to be involved in the bank’s survival after a devastating cyber-attack. The CEO agrees to answer a few of my questions.
CEO's Resilience Questions
Does everyone at our bank understand the most critical services that will keep customers from panicking after a devastating cyber-attack on our bank?
If all systems are lost and our data is gone, will the Disaster Recovery Plans positively support our most critical services within 24 hours? Has this been tested? Have these tests included all the significant personnel who would be servicing customers during that desperate time?
What will our tellers and call center staff do immediately after, during, and post the cyber-attack? Have they been trained for this eventuality? Do we have updated scripts and playbooks, and are our SLAs for this situation well understood by everyone involved?
Do we know exactly how we will provide customers with access to their funds during this attack?
Will our customers be able to withdraw funds with their debit cards? How long will the ATM network continue to support our customers? Will we set any special limits on withdrawals during this event?
Exactly how will we maintain liquidity until we have all our systems back to normal? Do we have the proper agreements and relationships in place to keep ourselves funded? For several days? How will we manage cash during this scenario? Are our agreements up to date and properly executed?
Has the Technology team determined how long it would take to rebuild our critical systems from scratch? Can I count on that timeline, no matter what the circumstances? When was it last tested? Are we relying on that same test for our DR/BCP?
Is there one C-Level person who is responsible for ensuring the Board that all such preparations are in place? Or will this be managed by a committee? If so, is that committee in place, and do each of them know exactly how they will help the bank survive?
More times than not, this dialogue with a bank CEO leaves them looking like a cross between the deer in the headlights and “how could I have been so naïve”. I’m encouraged to see the realization sink in. This level of concern is what is needed to begin planning for a serious cyber-attack. There are many more questions - each of which can expose the actual readiness of a financial institution. We have a solution! Sheltered Harbor (the community of over one thousand industry peers) publishes over two dozen guides on how a financial institution can get ready to survive even a most extreme cyber-attack. We call this Resilience Planning, and we can help any financial institution get ready to handle and bounce back from any devastating event that results in complete data destruction, deletion, or unavailability of critical systems.
