Business Continuity in the Finance Sector: Cyber-risk and other Threats

In October 2012 a distributed denial of service (DDoS) attack on HSBC took down its web-based services for approximately seven hours after the system was overwhelmed with up to 500 times its normal web traffic. A similar fate befell NatWest just over a year later in December 2013.

More recently, UK watchdogs the Financial Conduct Authority (FCA) and the Prudential Regulatory Authority (PRA) imposed fines totalling £56m on Royal Bank of Scotland (RBS) last November for an “unacceptable” computer failure in June 2012, which meant that millions of customers were unable to access their accounts, payments were disrupted and some automated teller machines (ATMs) did not allow customers to withdraw money.

December 2014 saw JP Morgan suffer a security breach, in which the data associated with 83m accounts was compromised. It was alleged that Russian hackers were behind these attacks as well as further attacks on other FIs.

Of course it’s not just data that criminals try to steal, sometime it’s the very reason for the bank’s existence – cash! In February this year Kaspersky Lab uncovered a scam that had allowed hackers to steal up to £650m. The perpetrators had installed malware on computers within banks so they could monitor systems and processes, which later enabled them to break into these systems and transfer money.

As these examples show, the cyber threat is very real within the financial sector. When these threats materialise it can be expensive for individual members – not just in terms of lost revenue or fines, but through reputational damage. The public level of trust towards the financial sector has not been high in recent years, so it takes little to make matters worse. When customers cannot access their web-based services there is frustration; when denied access to their money there is often apoplectic rage.

The incidents mentioned here are just a handful within a vast industry. How real is the actual threat? The Business Continuity Institute’s (BCI) latest
Horizon Scan report
, published in early 2015, identified cyberattacks and data breaches as two of the biggest concerns for business continuity professionals working in the financial sector. According to the global survey, 83% of respondents working in this sector expressed either concern or extreme concern to a cyberattack and 76% the same degree of concern towards a data breach.

So how do financial professionals combat the cyber threat? Technology is continually advancing to prevent various types of attack, yet so is the sophistication with which the attacks are carried out. Possibly the most important tool in preventing any unwelcome intrusion into your system is employee awareness. All too often it is an employees’ lapse in judgement that allows the attacker in – be it weak passwords, clicking on malicious links or opening harmful files. Organisations across all sectors need to ensure their staff are aware of the threats posed and be more thoughtful about their own actions.

Disruption to the company’s IT systems doesn’t just originate from malicious attacks; it could come from something as simple as an unplanned IT or telecoms outage or an interruption to the utility supply. Seventy-eight per cent of respondents to the
Horizon Scan
survey expressed extreme concern or concern at the prospect of the former occurring, while 50% were equally worried about the latter. This is marginally lower than other sectors, possibly because organisations within this sector have done more than most to put plans in place that allow them to effectively deal with materialising threats without major disruption.

The greatest asset an organisation possesses

The financial sector is heavily reliant on its IT systems and the data contained within, but perhaps even more reliant on its staff. So what happens when employees are unable to come into work?

Superstorm Sandy in 2012 effectively shut down entire sections of New York City for some time, causing major disruption to the financial sector. Adverse weather events don’t need to be as catastrophic to cause disruption. Snowstorms can play havoc with infrastructure and prevent access to work and the UK floods of 2013-14 had a similar result.

Security incidents and acts of terrorism are featuring in the headlines more regularly. Since the global financial collapse of 2008, banks have become unpopular and easy targets for public anger. Protests such as the ‘Occupy’ movement have taken place across the world causing disruption. While in many cases these demonstrations are a nuisance rather than anything more sinister, often the uncertainty of what might happen next causes more disruption. That can also be the case with terrorist acts, where the fear factor that emerges can cause more problems that the original incident. What is important in both cases is not just to make sure that your staff can work, but that they can do so safely.

Human illness is also a major risk. In recent years there have been many ‘outbreaks’ – bird flu, swine flu, SARS and, more recently, Ebola. A pandemic can cause severe disruption by not just preventing staff from coming in to work, but by stopping them from working at all if they become unwell. While the outbreaks mentioned above were relatively limited (compared to what might have been), as with acts of terror the fear factor often causes more disruption than the incident itself.

Horizon scanning

There are many different risks; what is key for any organisation when developing a business continuity programme is conducting a horizon scan to assess which threats are specific to that organisation and what could potentially cause a disruption. Clearly this will vary depending on several factors such as geographical location, although several threats such as cyberattack may be relevant to all.

Responding to an incident

So how does an organisation respond to an incident that has the potential to cause disruption? That is the key question and the response will differ depending on the incident and the disruption caused.

Is the IT out of action? Can it be replicated elsewhere? There are many data replication solutions available that can migrate all data to a secondary system, removing the potential single point of failure that could result in all data being lost in the event of an IT disaster. With the increasing use of the cloud people should, theoretically, be able to uproot themselves and move virtually anywhere to get their work done. In office-based environments, this is certainly the case.

Is the building out of action, either because it is closed or inaccessible? Can a nearby workspace be used or staff work from home instead? The technology available – either by enabling employees to log in to the server remotely or by using the cloud – makes this a perfectly feasible solution. When the disruption is on a much wider scale, such as a severe storm, can the important work be transferred to a separate location but within the same organisation. Again, it comes down to the ease of access to data.

Has there been a loss of staff? If this is due to inaccessibility of their workplace, then again options such as working from other locations must be explored. If down to inability to work, for example because of a pandemic, the contingency plan needs to identify who can cover the important roles, or whether staff are trained in multiple roles?

Whatever the crisis, it is essential to respond swiftly. The longer an organisation delays action, the more disruptive the incident could become. Communicate to all stakeholders what is going on and what is being doing to resolve it. People are much more understanding when the organisation is transparent and is evidently making an effort to sort things out.

Supply chain resilience

Making sure that your own house is in order is one thing, but in today’s globally-connected and often complex world, most organisations depend on many others contained within their supply chain. A supply chain is only as strong as its weakest link, so it is important to ensure that those organisations you deal with have their own business continuity plans in place and can manage any potential disruption. When conducting your horizon scanning activities, also assess the vulnerabilities of your suppliers.

Testing the plan

What is possibly the key part of any business continuity plan is the validation phase – does it work? An incident is the acid test of whether your plan works or not, but if the answer is that it doesn’t the organisation could be left in a mess. Testing and exercising ensures that the plan can be effectively assessed, in an environment where it doesn’t matter if it goes wrong. There are several ways of exercising the plans, ranging from table top exercises – whereby the key players discuss different scenarios and what they would do if they actually occurred – to a live exercise in which an incident is played out as if it were for real.

Disruptive events will always occur, whatever form they may take. By having an effective business continuity programme in place, it should mean that, in the event of an incident, a drama doesn’t turn into a crisis.


Related reading