By Doron Pinhas, CTO of Continuity Software
There’s strength in unity, it’s often been said, but for the world’s banking system, the opposite might be true. “Due to the interconnectedness of the U.S. financial system, a cyber incident or failure at one interconnected entity may not only impact the safety and soundness of the entity, but also other financial entities with potentially systemic consequences,” according to three U.S. government agencies.
Computers, big data, devices, the cloud, and other advanced technology have had a major impact on the financial services industry, enabling institutions to use digital channels to offer more real-time services and deliver an improved customer experience. The downside of the digital revolution in financial services is the increased dependence on technology. Institutions are more interconnected than ever, and outages – due to cyber-attacks or technology failures – could have a devastating effect not just on a single institution but also on the economy as a whole.
To address these systemic vulnerabilities, the Board of Governors of the Federal Reserve System (Board), the Office of the Comptroller of the Currency (OCC) and the Federal Deposit Insurance Corporation (FDIC) have jointly proposed Enhanced Cyber Risk Management Standards to “increase the operational resilience of these entities and reduce the impact on the financial system in case of a cyber event” in the banking sector, the agencies said in their proposal. The rules, which if adopted will affect institutions with assets of $50 billion or more, which are deemed to be “systematically important financial institutions.”
The regulators’ concerns are well founded; financial failures can set off huge panics. 2008 seems like ancient history by now, but we should not forget that the road from the failure of Bear Stearns to the bailout of AIG, and a worldwide recession was a surprisingly short one, as it turned out. Panics are possible, the regulators fear, not just in the event of a financial meltdown, but a cyber one as well – whether due to hacking, data failure, or any other cause.
To prevent such meltdowns, the regulators want the major financial players to be cyber-resilient. They are putting the onus on institutions to develop methods to “anticipate, withstand, contain, and rapidly recover from a disruption caused by a significant cyber event,” taking into consideration the possibility of “multiple concurrent or widespread interruptions and cyber-attacks” on their own systems or on critical infrastructure, such as a breakdown of the power grid or the Internet. Under the plan, organizations will need to develop systems to halt and prevent the spread of “contagion,” so their own failing platforms do not turn into a domino that brings down other institutions, and eventually the entire system.
The first step for banks should be to inventory their ability to recover from a failure- including how long it will take them to recover their data. The resiliency that regulators want from financial institutions will require them to meet a two-hour RTO for sector-critical systems. To determine whether or not this can be accomplished, companies will need to adopt methodologies that will measure whether the plans they develop would be able to meet resiliency standards. Of course, the one sure way of finding out would be to have an actual service outage, and hope that the plan works – but that’s clearly a method that no one wants to use!
A successful assessment system needs to measure risk – and resiliency – quantitatively, and identify actions to remediate a problem to meet the two-hour RTO window. In order to measure risk correctly and accurately, three separate metrics must be measured:
Data recoverability and safety. These metrics check and quantify whether the application data is protected, as required by the standards for the criticality of the system. This allows entities to determine if all data is backed up as needed, in order to ensure cyber resilience, and more specifically, recoverability. These metrics should answer questions such as: Was any critical data omitted from the backup? Is sufficient copy frequency being maintained? Is the data retention period sufficient? Are copies adequately isolated from tampering and alteration by unauthorized individuals? Are copies kept in an appropriate geo-distribution? What is the estimated restore speed?
Availability of recovery infrastructure.This metric should address the following question: Does a recovery infrastructure exist? If so, how much capacity and performance does it allow after recovery, compared with normal operations? (Capacity and performance could be measured either in transaction volume and speed; or in network, compute and data storage). What is the estimated time to activate this infrastructure?
Currency of the recovery infrastructure.How current is the configuration of the recovery infrastructure? It is important to make sure that the configuration can be recovered to the same point in time as that of the data. Otherwise, a successful system restore might not be possible.
Once such an assessment is in place, companies will be in a much better position to understand what needs to be done in order to recover quickly and resiliently.
While it’s safe to say that most institutions might balk at the idea of another layer of regulations – don’t we have enough already? – the regulations in this case are more than just rules; they are best practices, and actually are steps financial institutions should have already taken on their own. Cyber-resiliency ensures that customers are better served and their data is more secure. They help institutions maintain their reputation and protect them from liabilities (financial, regulatory, or otherwise). Although regulations might seem burdensome to many in the financial sector, in this case they are likely to be welcomed.