Over the past 15 years, we all recognize that the role of the internet has expanded dramatically for a wide range of industries including financial services. Internet standards have become widely accepted and the prior generation's mix of proprietary network infrastructure solutions has been, or soon will be, replaced by web-compatible technologies. Physical terrorism and/or tragedy, such as the 9/11 attack on the World Trade Center or Hurricane Katrina, significantly disrupted trading and banking activities. After the fact, some financial institutions had to make major revisions to their disaster recovery and continuity plans. Most NYC based financial institutions implemented their revised plans within a year.During the past decade, nary a month goes by without a notable cyber attack that affects the internet, causing outages or systematic stress. Banks are often the target of these attacks because of their intricate role in payment processing and financing. Cyber thiefs/hackers have become increasingly sophisticated in designing and launching attacks. Attacks can take a variety of forms: cyber-identity theft, denial of service outages aimed at specific websites, hard to detect and remove viruses that cripple servers and workstations, and cyber-fraud transactions, to name a few.
On March 9th, federal and state investigators announced they have cracked a sophisticated cyber-facilitated fraud operation in the Minneapolis-St. Paul area. Identity thefts are being used to raid bank accounts and run up credit card bills. So far, investigators estimate the fraud operation has about 200 members just in the Twin Cities area. Social networking sites are among the prime venues the fraudsters use to capture identity data. Investigators have indicated the operation extends to West Africa and Eastern Europe. In this case, many institutions, both local and national, have become victims along with their customers.
My experience indicates that everyone in bank management, especially the CEO, COO, CFO, CIO, and head of internal audit, and the bank's critical IT vendor(s) are committed to having a well-constructed disaster recovery and continuity plan. These plans are typically reviewed regularly by auditors and the bank's primary regulator. And, the bank's board of directors is briefed on the plan periodically. Substantial revisions are often made after a Katrina or a massive earthquake.
If a bank management team has not already done so, the disaster recovery and continuity plan should include an analysis of how to operate if cyber disasters impact the bank, its important technology vendors, or the banking payments infrastructure. A cyber fraud that can escalate into the millions of dollars should be treated by bankers as a disaster. Figuring out how to respond quickly, communicate effectively, and maintain a modified level of business activity is worth addressing before the event even happens. The cyber disaster recovery and continuity plan should be updated whenever a new type of attack occurs anywhere a bank is affected.
During my Navy days aboard a destroyer, the Captain would schedule, often with no advance notice, disaster recovery drills, such as man overboard, battle stations, and fire in compartment X to make sure the entire crew was capable of correctly handling the event, sometimes using a stop watch to measure the crew's response time. The military survives and succeeds by planning and training for these events - their lives depend on doing it right every time. Bankers and their key technology and payment vendors should take the same approach to planning and training for all types of disasters, including cyber events. In a 24/7 world, a bank's operations, marketplaces, and potentially the broader economy can be seriously disrupted if there is no plan or if it has never been tested.
Bill Bradway, founder and managing director of Bradway Research LLC, analyzes the business strategies and IT investments of US banks and credit unions.