As global regulatory guidelines become more closely aligned with Bank of England requirements, financial services organizations globally are having to more carefully consider their important business processes and impact tolerances and how to avoid intolerable harm to consumers.
Organizations need to consider what severe but plausible scenarios could drive business processes out of impact tolerances. The Bank of England gives several categories of risk for consideration, including cyber threats and the loss of IT systems.
To manage these risks and remain within impact tolerances, we suggest you follow these best practices:
Develop scenario-specific procedures to stay within impact tolerances
Carrying out a breadth of scenario testing is key to ensure preparedness as it has become apparent that one-size-fits-all service recovery plans will not work in the current resilience landscape. Firms need to develop specific procedures linked to scenarios to safeguard impact tolerances and avoid causing intolerable harm.
It appears that certain scenarios, such as pervasive cyber events, could lead to recovery times beyond objectives which could cause intolerable harm. Third-party failure is a common cause of outage (Uptime Institute found that third-party, commercial IT operators accounted for 63% of all publicly reported outages) so make sure to consider third-party dependencies in your testing and involve suppliers in your testing and recovery where appropriate.
Be prepared for a range of cyber threats
Firms should demonstrate how they would recover from a cyber attack that renders systems unavailable and data compromised. They must consider the potential scale, type, and method of attack they may be hit with and how they would recover in a timely manner.
The industry recognizes that a recovery from this type of attack is different and you can’t assume your usual failover methods will work. You have to develop an approach that works for your organization and then plan and test this scenario.
Don’t forget about cloud recovery
You need to plan for a failure in your technology infrastructure whether it's on premises or in the cloud. It’s important to understand the shared responsibility of cloud disaster recovery between you and your cloud provider, as migrating to the cloud does not ensure application resilience as many believe. From there you can build out your automated runbooks to manage any cloud-based disaster.
Build comprehensive recovery runbooks
Develop recovery procedures and runbooks detailing the actions you need to take in the event of each scenario you have identified. This includes how you would maintain data integrity, which checks need to be performed when bringing systems back online, and how to keep stakeholders informed of progress.
Runbooks should standardize and automate your operational processes in order to improve efficiency and reduce risk across your applications. With automated runbooks such as Cutover’s, you gain greater visibility and control over the planning, testing, and execution of your IT disaster recovery, cyber recovery, cloud migration, and software release and patching.
Provide evidence for regulators
You will need to provide evidence of your testing and recovery procedures for regulators, which should include recovery time actuals (RTAs) against recovery time objectives (RTOs) and full audit logs of the tasks performed.
Your testing should closely mimic the anticipated disruption - consider performing incident response exercises that prove your crisis management capability. That way, when it comes to recovering from a real incident, procedures are well practiced and can be executed quickly.
Once testing or recovery is complete, having an automated system of record to provide to the regulator will make post-event reporting quicker and simpler.
Use Cutover to stay within impact tolerances
Cutover enables you to test and recover from a variety of scenarios, from individual technology failures, to total loss scenarios, to cyber recovery events such as ransomware attacks. With Cutover, you can capture the individual steps and actions needed for recovery in a runbook associated with a specific service and provide evidence to regulators of how long it took to recover through the indelible audit trail. You can also use Cutover to bring third parties (such as suppliers or other FS firms) into testing and recovery activities. Use Cutover to measure and stay within impact tolerances and ensure regulatory compliance.