The views and opinions expressed in this article are those of the thought leader and not those of CeFPro.
By Alpa Inamdar, Head of Third Party Governance Advisory, BNY Mellon
What advice would you give when developing an incident response plan?
An incident response plan is a set of tested instructions and procedures designed to ensure an effective and efficient response to a critical situation. The plan should include the following major components: Identification; Notification; Validation; Escalation; Interdiction; Mitigation; Recovery; Reporting each business and functional unit must have an approved plan consistent with their data, systems and operations. A primary step of any incident response plan should be to determine who is on the frontlines and what their roles and responsibilities are. Designated team members should have a complete understanding of the communication system in place in order to convey information in a timely manner. The first priority of the plan is to determine what information/system/process has been compromised and who is affected by the compromise. While incident “playbooks” are important, an incident response framework should be adaptable and flexible enough to ensure an effective organizational response across a broad spectrum of potentially disruptive events (so-called “all hazards approach”). Most importantly, the framework should be tested regularly through a mature crisis management exercise program across variety of realistic scenarios. Senior management involvement up to and including the Management Board level is essential.
Why is it important to understand the scope of an attack?
With continuous movement of important company information online, anything and everything can be potentially compromised. Therefore, it is critical to identify the universe of information that is compromised, and implement steps to protect other exposed information. Different types of information require different mitigation and recovery plans. Knowing what type of information was compromised is essential to calculating the costs of a breach. For instance, in 2016 Bangladesh [Central] Bank was the victim of a cyber heist to transfer nearly $1 billion in funds out of their NY Federal Reserve account. However, rapid interdiction limited the exposure to $101 million, which was actually transferred before the remaining transactions were blocked. Knowing where the $101 million was transferred allowed Bangladesh Bank to recover most of the money compromised.
Once you understand the scope of the attack, you can begin the interdiction; mitigation; and recovery processes. Part of that recovery process involves communicating with the affected parties and remediating the relationships with any stakeholders or partners whose information and/or assets were compromised. Nevertheless, it is unlikely that the firm will have perfect knowledge of the nature of an attack particularly in the early stages. For example the firm may have only a partial understanding of what has been compromised, who has perpetrated the attack or why. The firm must be prepared to act on incomplete information, and adjust responses as new information is received. A formal relationship with law enforcement, or specialist external forensic teams can be helpful under certain circumstances.
In your opinion, when is the right time to educate investors on the changes and future numbers?
I would say start now to mainly sign-post key issues, but emphasise always that this is all about timing and value-add in terms of the quality of information in the accounts. It is a fine balance between: 1) allowing enough time for the messages to be well understood and 2) having enough of an understanding of the dynamics between the transition balance sheet and emergence of future profits. With a little less than two-and-a-half years left, I think a six-monthly update would be in order, to break the discussions into manageable but reasonably frequent and incremental dialogue.
What are some of the challenges when maintaining relationships with investors and explaining the changes?
Three challenges: 1) preoccupation with the “here-and-now” or business-as-usual which is what investors are currently used to and what will determine current performance vs. the pivot towards a new presentational paradigm. 2) Having enough knowledge and understanding from the implementation to have a meaningful dialogue; a bit like the quantitative impact studies of the Solvency II process. And 3) needing to actually cater to a much wider audience than just investors, including internal as well as external stakeholders.
In your opinion, why are cyber drills an important tool?
It is important to note that communication involves both the inbound communications to the Incident Management Team (IMT) as well as the outbound information, instructions, notifications from the IMT.
All affected individuals should participate in the communications plan. Any strategy that hinges on interpersonal relationships will only succeed when all parties contribute. All participants should have a clear understanding on what their role is as well as the roles of everyone else involved. To ensure that the right people are involved, a routine verification process should be included to ensure appropriate dissemination of information.
Technology should be leveraged to make communication as optimal and controlled as possible. For instance, video chat software like WebEx have a system in place that allows participants to take turns speaking. Recordings/minutes of video calls should be kept to have a record of all topics discussed for potential audits as well as to keep team members accountable. Note: Legal and Data Privacy experts should be consulted to determine the appropriate methodology for distribution, recording, and storage of all incident related information.
A stakeholder map and RACI chart are important to have in the communication strategy and IMT plan.
How has the COVID Pandemic influenced business continuity planning?
The pandemic has forced all but the most essential in-house staff to work remotely. While there is uniform IT protocol for all of our offices (i.e. firewalls), the same cannot be said about each employees’ or vendor staff home internet. As such, a continuity plan has to have an agile financial budget for ensuring that every remote employee has an appropriately secure connection. This includes budgeting for laptops, RSA tokens, equipment such as mice/headphones/desks, etc. Preferably, these solutions for employee security during the pandemic can be leveraged when employees start to return to our offices.
Business Continuity plans often have to run for an extended period, and it is important to ensure we can sustain a “double-whammy”, such as a local weather crisis and/or power outage while in the throes of the pandemic. Additionally, scenario planning for pandemics are essential –what are the plans if 20%, 30%, or 50% of staff is sick and unable to work. Given the extended nature of a pandemic, and the fact that the firms footprint, staff disposition, and attack surface (for cyber-attack) are constantly evolving, the firm must have effective decision making authorities in place to adjust business continuity measures.
