For some, a business continuity plan is something that gets dusted off the shelf every few years, only to be returned to the stack with a few modifications.
In the wake of the global coronavirus pandemic, many institutions have discovered that’s just not enough.
As head of financial services at the New York Fed, I’m responsible for managing payments and receipts of currency for depository institutions across the globe, meeting demand for U.S. currency wherever it is. I also oversee the Fed’s Wholesale Product Office, which acts as the plumbing for the U.S. financial system.
Given the volume and value going through our pipes, any sort of disruption to our infrastructure would have immediate and significant impact on the financial system. So we spend many days and nights thinking about what could go wrong and how to make the system more resilient.
Needless to say, these past few months have shown the importance of thinking about how to adapt to existing business continuity procedures to keep up with new challenges.
Back in March, a cyberattack on a commercial service provider — which many small and midsize banks use to manage their connectivity to the Fed — impacted their ability to complete daily settlements worth billions of dollars. It became clear that a number of the institutions utilized by this service provider did not have an effective business continuity plan, and had not practiced their contingency channels.
This incident, among others, revealed gaps in business continuity plans that must be filled. The current context makes this even more urgent.
With so many employees working remotely, and operating using business continuity models that have not been thoroughly exercised, there will likely be more disruptions that could have an enormous impact on the financial system.
Point-blank: Don’t be complacent.
Although there are hopeful signs that the curve has flattened, the path of this pandemic has not been what we’ve expected so far. The future remains uncertain.
It may seem that the worst of this crisis is behind us, and we can breathe a sigh of relief. But now is the time to prepare for what may lie ahead.
On the most basic level, institutions must prioritize strengthening their contingency models and make sure their business continuity plans are being reviewed, practiced and understood. Then, focus on key-person risk.
What if a second or third wave of the coronavirus pandemic were to hit? What if those waves are even more severe?
Even if team members are positioned to work remotely, institutions should be prepared for potential bottlenecks and pinch points that may emerge if individuals cannot work for long periods of time. Have you considered training not just backup teams, but a tertiary team and beyond?
Leaders should also ask whether they have the proper equipment, access and credentials to be able to quickly step in if necessary. At the end of the day, a plan is not enough. Executives must ask themselves: “Can we actually execute this?”
Finally, cyber resiliency in a business continuity model is going to be crucial to ensuring a safe and secure financial system. Cyber resiliency is broader than the traditional business continuity focus on data backup and recovery. It’s about data integrity and the ability to trust the data to know with confidence that backed-up data has not been corrupted or altered by a cyberattack. Resilience is the ability to operate, even in a degraded state, and recover from deliberate attacks.
During a time of perceived chaos, bad actors will ramp up their activities and institutions must be prepared. With so many around the world accessing their work remotely through different channels, institutions cannot go without assessing and testing their security profiles.
Bottom line, stay flexible and continue to modify as needed. Make sure you can dust off the contingency plan and employ it at a moment’s notice. Or better yet, don’t ever let it collect dust at all.