Over the past 12 months, cyber attacks have caused widespread disruption and inflicted more financial damage on businesses than ever before across multiple industry sectors including financial services, healthcare, energy, pharmaceuticals and utilities. The evidence is plain to see in the media headlines as well as in the public breach disclosures and profit warnings issued by a number of global companies.
Against this backdrop, the need has never been greater for financial services companies to develop the capability to absorb these attacks into their business-as-usual operations rather than a reactive, crisis mode. There are a few reasons for this focus on what is being termed ‘cyber resilience’.
Cyber resilience is therefore much broader and deeper than simply updated view of business continuity or disaster recovery plans. It means understanding to an unprecedented level where failures can impact the business across the entire value chain and carefully planning how to eliminate, avoid, reduce or compensate for those failures.
Organisations naturally have finite resources and can’t do everything; hence this entire process must be risk-based on risk to focus energy on those areas that are most important.
This is a journey that will not happen overnight and requires careful medium to long-term planning. Defining the strategy and executing the plan that moves a business to a future state of improved cyber resilience is a process. Overall governance is crucial for sponsorship and a coordinated programmatic approach is key since necessary activities cut across all three lines of defence.
From working with our clients and interacting with financial services regulators globally, we broadly see the components of the process towards cyber resilience as follows:
We outline this overall process in more detail in the paper below, which I hope will help prompt fresh thinking and provide a source of comfort for those who have already embarked on such a journey.