Financial Services Ireland

INSIGHTS

Operational Resilience and Cybersecurity: How prepared is your organisation against operational disruption?

Read More



The recent cybersecurity attack in Ireland highlights the growing trend in destructive attacks we are seeing across the board, not least those targeted at financial institutions.

Whether the attacks are targeted or opportunistic, the most common point of weakness is often basic routine hygiene factors:

  • Unpatched software (operating systems, kernels, applications)
  • Misconfigured firewall rules or WAF
  • Weak IAM rules and policies

A successful attack can often be avoided if reasonable protective defences are in place.

Understanding one’s end-to-end architecture and infrastructure not only reduces the success of potential attacks, but also lends itself IT framework optimisation. Alignment to ITIL or 6 Sigma, for example, can ensure a clear understanding of your asset inventory, their configuration, and the interdependencies between them. It will also enable you to understand the business services mapped to each asset, as well as any third-party dependencies and potential vulnerabilities. This holistic approach will allow you to fully understand and account for the full impacts of operational disruptions.

There are clear linkages and alignments to consider around the two recent CBI consultation papers on outsourcing and operational resilience.

Operational resilience

It may be worth reflecting on your own organisation in the context of operational resilience.

What is your organisation’s current level of ability to identify and prepare for, respond and adapt to, recover and learn from an operational disruption, such as that which the HSE is now facing?

In the context of the 3 pillars of the CBI’s proposed operational resilience framework:

1. Identify and prepare
  • How could your organisation be impacted by a similar disruption?
  • Which of your important business services may be impacted by the scenario that the HSE are dealing with, and how would your impact tolerances hold up?
  • How robust are your backups of all critical systems?
  • Have you performed a crisis simulation exercise?
2. Respond and adapt
  • When was the last time you tested your business continuity plans?
  • Do your incident management strategies and response plans need refreshing?
  • Are your crisis communication plans robust enough to handle the type of media attention the HSE are receiving?
3. Recover and learn
  • What can you learn from recent disruptions to improve your own operational resilience?
  • What are the long and short term solutions and changes you can make to enable your organisation to be more resilient?
  • Do you use cybersecurity and business interruption insurance?
  • If there are gaps and vulnerabilities, consider placing a cybersecurity response team with expertise in responding to ransomware events on retainer.

Outsourcing

Where you use outsource service providers as part of the chain to provide services to your customers, the suppliers’ own cybersecurity and information security measures and standards act as an extension of your own.

The CBI places a large emphasis on considering the risks around the digital agenda as part of your risk assessments of third parties and asks that as part of risk assessment – both Sensitive Data Risk and Data Security – availability and integrity are fully accessed across a range of factors.

There are also contractual requirements stated such as access for penetration testing; Whether the OSP should take out mandatory insurance against certain risks and notification requirements of financial difficulty, catastrophic events, and significant incidents.

Summary

Another key consideration that is aligned to the two CBI consultation papers is the “tone at the top” – the board and senior management modelling the right behaviours regarding security and leading by example through the chain of the organisation. They also need to know the right questions to ask at the right time.

Cybersecurity isn’t just an IT problem, there are roles and impacts across the entire business. Firms need to consider their resourcing mix and how prepared they are to respond to disruption.

For more on this topic, EY recently hosted a special cybersecurity webcast which is now available on-demand here.

If you want to discuss this in further detail, or if you have any questions, please do not hesitate to get in touch.

Sara Woods

Senior Manager, Technology Risk
Sara's Full Profile