It can often be difficult to get an objective understanding of your cyber risk and the maturity of your defense and response capabilities. The Bank of England has released some useful materials that are globally applicable and very useful.
The Bank of England's CQUEST questionnaire is a valuable tool for assessing the operational resilience of financial institutions, particularly regarding their cyber recovery capabilities, by providing a comprehensive framework for identifying potential vulnerabilities and gaps in their ability to respond to and recover from disruptive events, such as cyber attacks or technology failures.
Although CQUEST forms part of the Bank of England and PRA/FCA’s supervisory toolkit to gauge the cyber risk and resilience capabilities of the financial sector, CQUEST can also be used by other firm(s) as a self-assessment tool to consider their own cyber risk and resilience maturity.
You can find the approach set out here.
Within this framework, there are a number of questions that relate to having better recovery plans that are executable, exercisable, automated, testable, visible, and have a full indelible audit trail (see questions 44-46 and 48-49).
Cutover’s automated runbook platform provides functionality that can help you address these specific CQUEST framework questions:
Do you exercise (prove) your ability to respond to a range of scenarios?
Cutover provides the ability, through our automated runbooks, to create carefully crafted responses to a variety of scenarios. These are not static plans but are an executable and measured sequence of tasks and activities that decrease the risk of missteps and incorrect actions resulting in major customer impacts.
How do you ensure you are adequately prepared for recovery, following the failure of IT systems or services?
Cutover has experience doing exactly this for the world’s largest financial services organizations. Our customers use our platform to regularly prove and reduce risks in their ability to recover IT services, in a timely manner, following failures and interruptions to those services.
Do you have recovery plans that cover the recovery of systems and data from an incident caused by a cyber attack?
Use Cutover to orchestrate your system recoveries and integrate (where appropriate) to immutable data stores (such as Rubrik) to recover data that might have been compromised as the result of a cyber attack. Our customers are looking at their recovery plans through the lens of important business services to ensure that they have an appropriate and adequate response captured if they, for example, experience a ransomware attack.
Do you perform recovery testing?
It’s not enough to just have plans - you should regularly exercise and prove those plans. With Cutover, our customers schedule and perform recovery testing throughout the year, shortening planning cycles and creating the capacity to test more often, with an increased set of scenarios. In some cases we’ve enabled customers, through clear and comprehensive orchestration capability, to successfully complete recovery tests that they had previously been unable to complete.
To what extent do you proactively engage with your critical third parties and ecosystem partners on detection, response, and recovery activities?
Cutover’s ability to integrate with a large number of third-party systems and platforms allows you to define recovery plans that start automatically when issues are detected. Additionally, you can bring third parties onto the platform so you can attest to and evidence how you would recover from a cyber attack across multiple services and applications.
Cutover is ideally placed to support you in meeting the Bank of England’s CQUEST requirements and has been doing so for some of the most complex and sophisticated global organizations in the world. To find out more, please get in touch or book a demo to see the platform in action.