Reporting and Governance

Building strong and adaptive businesses during rapid and unpredictable technological and economic change is an essential objective, one made more urgent by the growing threats in cyberspace. By Margarete McGrath, Chief Digital Officer, UK and Ireland, Dell Technologies.

Agility and diversity of thought are the foundational principles for businesses that want to be more resilient and secure. As cyberattacks increase in frequency and severity, it has become clear that those businesses that can best cope with traditional commercial, economic, operational and political shocks are also the most cyber-resilient.

The attack on the world’s largest retail foreign currency dealer on New Year’s Eve was yet another high-profile example of the cyber-risks facing businesses. The company was infected with a ransomware virus, forcing it to take its systems offline for several weeks to prevent the virus spreading.

Companies are starting to take a more holistic approach to managing cyber-risk. A shift in emphasis is taking place, from cyber-security to the broader concept of cyber-resilience. An effective cyber-strategy is not just about businesses improving cyber-security to prevent and detect attacks. It is also about improving cyber-resilience so they can respond to (and recover from) attacks quickly, and learn from the experience.

More broadly, cyber-resilience is increasingly seen as an essential component of overall business resilience. Executives must be able to respond to cyber-incidents with as much agility and effectiveness as they do to any other shocks.

Sheltered Harbor initiative 

The rapidly evolving threat environment is leading to innovative partnerships being forged between businesses to provide greater levels of security and improve cyber-resilience. For example, the US financial services industry has set up the Sheltered Harbor initiative to protect customer account data if a catastrophic cyber-attack or other event causes a firm’s systems to fail and data to be compromised. A not-for-profit subsidiary of the Financial Services – Information Sharing and Analysis Center, Sheltered Harbor comprises banks, asset managers, trade associations, technology providers and other organisations.

Every night, financial institutions in the initiative back up critical customer account data in a data vault using the Sheltered Harbor standard format. Each institution carries out the backup itself or uses a service provider. The data vault is separate from the institution’s IT infrastructure, including all other backups, and the data is encrypted and unchangeable. If the institution suffers a cyber-attack or IT failure, the data is safe and, by activating a ‘resiliency plan’, can be quickly recovered from the vault to give customers access to their funds.

Financial regulators are taking a close interest in how firms respond to cyber-threats. The Basel Committee on Banking Supervision regards cyber-resilience as a vital aspect of operational resilience. “Actors in both the private and official sector” should approach cyber-risk management “from a broader strategic and operational resilience perspective rather than restricting it to a purely technical discipline focusing on security”, it says.

The committee set up an Operational Resilience Working Group in 2018, and one of its first jobs was to compare banks’ cyber-resilience practices around the world, which it published in ‘Cyber resilience: Range of Practices’. It is now working on broader operational resilience principles.

The regulatory landscape is evolving quickly in different countries. For example, the Bank of England, the Prudential Regulation Authority and the Financial Conduct Authority last December published co-ordinated consultation papers and a shared policy summary on new requirements to strengthen operational resilience in the financial sector.

Under the proposals, businesses will have to plan how to keep important services running in case of disruption caused by man-made events such as cyber-attacks and IT system failures, as well as natural hazards such as severe weather and disease. The consultation closes on April 3 this year. 

Agile teams 

Experience of working with many leading businesses suggests that a key element of building business resilience is ensuring that senior teams are agile and diverse in their thinking. To being with, business leaders need to consider the following:

  • Encourage different opinions and business models throughout the organisation. Diversity of thought and action in an uncertain world creates a strong organisation. Different teams can look at products, services  and operational challenges in different ways, and then coalesce when necessary to develop synergies. Dell Technologies, for example, operates seven different businesses under one brand with strategic overlaps in some areas.
  • Participate in war gaming scenarios covering a range of threats such as cyber-attacks, economic shocks and epidemics like the recent coronavirus outbreak. Crisis management exercises using real-life scenarios will help it build agility and fine-tune its disaster recovery and business continuity plans. Chaos engineering should be used to test whether IT infrastructure and software can withstand failures, just as Netflix does with its chaos monkey.
  • Identify critical data and protect it in an off-the-network vault. This is not an easy exercise and requires executive sponsorship. Typically, critical data accounts for between between 10% and 15% of a business’s overall data, but most businesses struggle to define it.

Cyber-resilience is a major focus for business leaders. But they should view it as just one piece in a much bigger resilience framework, one that enables the business to withstand a variety of threats and shocks, whether they be technological, operational, economic, political or natural. 

A Speakers’ Corner is an area where open-air public speaking, debate and discussion are allowed. The original and most noted is in the north-east of Hyde Park in London

This article is free to read, request a no obligation trial access to Global Risk Regulator.