The New FFIEC Business Continuity Guidance: 5 Things You Need to Know

On November 14, FFIEC updated and renamed its business continuity handbook from Business Continuity Planning to Business Continuity Management.  (Check out the updated handbook here.) The updates were principally focused on increasing an institutions resilience against cyber threats. We commonly hear about cyber threats in the news and may be the most likely reason we would need to execute a business continuity plan these days.   

If you’re wondering what a modern, large scale cyber-attack would look like, this 2018 Wired article on Notpetya paints a pretty good scenario.

Here are five things you can do to boost your plan’s effectiveness in a cyber scenario and prepare for compliance with the new guidance:

1. Ensure your plan is considering and properly rating the cyber scenarios and risks identified elsewhere in your governance program. Ask yourself the following questions: Is your plan’s threat assessment considering the results of your risk assessment? Your recent penetration test results?  How about your latest IT Audit? These may have some risks or scenarios overlooked in the planning process.
   
   
2. Do not assume that your secondary site or third-party provider will be available during a cyber event. Ransomware can propagate to backups.  Your cloud provider may be targeted in the same denial of service event.  What would your backup plan be? 
   
   
3. Know the roles of your third-party suppliers in an event. Incorporate these in the contract either when they renew or upon inception.  Include the third parties in your tests to the extent applicable. Be sure to review their plans and test results in your due diligence processes.
   
   
4. Exercise, test and repeat. This is the only way you will find the weak points, false assumptions, or missed updates to your plan.  Remember, this isn’t pass/fail; rather this is meant to be a learning opportunity so don’t be afraid to find some takeaways to improve your plan.  Perform these revisions sooner rather than later and retest to ensure they have the desired effect.

The extent to which you exercise and test your plan should be driven by your institutions risk tolerance and its size and complexity.  Your tests should validate the integrity and availability of data for critical systems, that your recovery timeframes are achievable, and that you can process the anticipated level of transactions.  Also, test that the physical and environmental controls of your backup facility.  Exercise the quality of decision making, communication protocols, cross departmental coordination and run through procedures at your recovery site. 

5. Don’t go this one alone. Include your coworkers and leadership in exercises and tests. Do your coworkers know what to do in an event?  Do they know where your recovery site is located? Do they know what an emergency notification will look like?  How about from where or whom it will come?  Externally, be sure you are aware of and have incorporated the assistance offered by your cyber insurance. It may help to bring in outside assistance to facilitate tabletop exercises specific to your organization.  Or if you can’t afford that, you may be able to utilize industry and user group help as well, such as FS-ISAC’s Cyber Attack Against Payment Systems (CAPS) exercise.  (You can find more information about that here.)

If you’re looking for help with business continuity planning, incident response, or would like someone to lead and facilitate a tabletop exercise give us a call at 833-297-7681 or email us at support@bedelsecurity.com.