Operational Resilience in Focus, Part Two: Operational Resilience and Cyber
In part one of our Operational Resilience in Focus series, we broke down the concept of operational resilience to understand its domains and foundational components (see figure below), why it matters, and how organizations can start their journey to reach it.
In this installment, we will:
- Explain the difference between operational resilience and risk management.
- Dive into the foundational components of the cyber and information security domain of operational resilience.
- Identify what cyber and information security components are required to help reach operational resilience.
To recap from the first part of the blog, ACA defines operational resilience as having five critical domains, all with the same five foundational components. In this installment, we will discuss the details of the cyber and information security resilience domain.
Operational Resilience vs. Operational Risk Management
Though these two concepts are similar, for regulators, they are distinct. To regulators, risk management is a subset of operational resilience and not the other way around. Emerging regulations distinguish between the two concepts, in that risk management is listed as a critical foundational component of all domains of operational resilience, but operational resilience depends on more than just risk management. An operationally resilient company can effectively manage risks, but deploys risk management alongside governance programs, planning and testing procedures, vendor relationship management, and timely reporting.
“The bank’s operational risk management function should work alongside other relevant functions to manage and address any risks that threaten the delivery of critical operations. Banks should coordinate their business continuity planning, third-party dependency management, recovery and resolution planning and other relevant risk management frameworks to strengthen operational resilience across the bank.” - The Basel Committee on Banking Supervision, Principles of Operational Resilience
The Basel Committee on Banking Supervision states in their Principles of Operational Resilience that “Operational resilience is an outcome that benefits from the effective management of operational risk.” For example, if we examine the Securities and Exchange Commission (SEC)’s proposed cyber security rules for investment advisers and companies and European Commission’s Digital Operational Resiliency Act (DORA), they both refer to risk management as a propellent to fully achieve operational resilience. Risk management is the action, and operational resilience is the outcome.
Foundational Components of Cyber and Information Security Operational Resilience
The foundational components of cyber and information security operational resilience include:
- Program Governance
- Risk Management
- Planning and Testing
- Third-Party Risk Management (TPRM)
Organizations must establish governance with designated owners of cyber functions (i.e., technology risk, privacy, business continuity management). A strong governance program is needed with defined measures of success, communication of risks and resilience program results with senior leadership and/or the executive board, and cross-functional committees. The designated function owners are tasked with administering programs, managing relationships, and routinely undergoing training to keep their expertise up to date. These individuals will take an active role in implementing and following resiliency activities, such as clearly defining the roles and responsibilities of for cyber-related functions and regularly reviewing policy.
Cross-functional committees bring multiple perspectives together in the same room, deepening the level of knowledge and expertise to build a stronger and more adaptable cyber resilience program than if it were siloed.
Where to Start
Establish owners of the organization’s critical cyber functions’ resiliency. Upper management, especially in-house IT leaders, may naturally fit best into these roles. Those with insight to mission-critical business processes and their associated resilience needs, as well as those with decision-making authority, are good candidates.
Establishing these owners first spreads the remainder of the work out across several individuals and decentralizes the burden of creating the operational resilience program. Organizations might elect to have one cardinal leader of the initiative to help ensure all these moving parts function and work together. To reduce the hazard of single points of failure, organizations might consider identifying back-up individuals within the committees, or cross-training (to the extent possible) owners to act as backups for one another. Documented back-ups make losing one individual less disruptive.
During this initial process, organizations should establish lines of reporting and clearly define roles of stakeholders. This fosters clarity, transparency, and accountability, as well as reduces redundancy.
Organizations must oversee a technology and cybersecurity risk management program built on existing industry best practices as well as new regulatory requirements. Risk management measures are designed to identify risks, manage them, and keep up with their evolution. They should scale appropriately to an organization’s size, complexity, and business activities.
Risk assessments are required to determine an organization’s risk profile. These identified cyber risks require acceptance, transfer, or mitigation, as well as continual monitoring. In addition, staff at all levels and even subject matter experts must routinely undergo training to keep their knowledge of best practices up to date.
Where to Start
As an organization establishes their risk management component (which can be run by the owner of risk management as part of establishing governance), a high-level risk assessment is a prudent place to begin. A risk assessment brings awareness of cyber across an organization (and not just in IT) and gauges the current state of an organization’s cyber affairs, including both areas of strength and critical gaps. A roadmap for improvement can be drafted as a result, which can inform all steps downstream of this activity such as testing and reporting. Additionally, a risk assessment makes a practical, tangible deliverable in case of an audit.
Another low-impact activity an organization can institute early on is network vulnerability scanning, which can be set up in-house if resources are available or easily contracted through a third-party vendor. Automated scans of an environment can detect potentially exploitable vulnerabilities.
Planning and Testing
Organizations must build, plan, test, and improve an organization’s resilience in the face of cyber or technology-related disruptions (e.g., ransomware or cloud provider outages). Business continuity plans (BCP), incident response (IR), and disaster recovery (DR) are required and should account for likely scenarios. Formal policies should clarify communication structures, systems and communication mapping, threat detection and escalation, remediation, and testing. Capability to execute policies and plans should be always present, and key third parties needed for these plans should be identified. BCPs should be created and assessed to curtail disruption impact.
Where to Start
At the outset of establishing this component, a business impact analysis (BIA) is a necessary first step. The BIA assesses the effects of disruptions on critical business functions. To perform a BIA, an organization should first determine its critical functions and then limit the scope of the exercise to those functions to keep it manageable. Interview the individuals who perform and maintain the business functions to gain the best understanding of processes and where the greatest risks might exist. BIA exercises can be outsourced to third parties with objective subject matter experts.
The results can then be used to create or update a BCP equipped to tackle the unique risks of each organization. Testing, such as through a tabletop exercise, can then follow.
Third-Party Risk Management
Organizations must manage vendor relationships before signing, during the contract duration, and after contract expiration. Vendors should undergo due diligence to determine if their own organizations are sufficiently operationally resilient and have appropriate cyber protections. In addition, vendors should be held accountable by organizations to ensure risk findings are addressed. Organizations should also establish standard contractual obligations for vendors to notify of security incidents and to adequately protect infrastructure and sensitive information.
Where to Start
The goal of third-party risk management as a component of operational resilience is to manage a full lifecycle process for handling vendor relationships, but to start, create a list of current vendors. From that list, identify those that provide critical business operations. This will look different from organization to organization, including but not limited to cashflow, communication, and cloud services. If you have not yet done so, perform due diligence on these vendors to determine if they are appropriately handling sensitive data and have a cyber program in place to respond to disruptions and/or system compromise.
Ideally this process will be run by an individual named in the first steps of establishing governance. This individual should also identify what your organization needs to have successful third-party relationships as well as understand current contractual obligations, which will help create consistent contractual clauses to include in all future contracts.
Organizations must adhere to requirements set by regulatory entities that require organizations to notify internal and external stakeholders of cyber-related incidents within newly establish timetables. Once regulators finalize and institute their new requirements, organizations will be expected to keep records of incidents, and in some cases must ensure events are promptly and formally disclosed (e.g., on Form ADV). Parties to notify may include regulatory authorities, internal staff, external stakeholders, the media, and criminal justice investigators.
Where to Start
A best practice, if not yet instituted, is keeping detailed records of all substantial cyber events moving forward. Today, an organization should assume it will suffer from a cyber-attack at some juncture if they have not already. To prepare, they should connect with legal and compliance teams to standardize a reporting process. Official reporting requirements differ based on the regulatory requirements of an organization.
Program Activities That Can Help Achieve Cyber Operational Resilience
Historically, regulations addressing cyber programs have been inconsistently applied, indirect, and gradual. This led to organizations, even within the same industries, building programs with differing activities and varying degrees of maturity. Regulators, such as the SEC and European Commission, are phasing out the pick-and-choose mentality of the past with clearer expectations. Many organizations likely already conduct several activities that help achieve operational resilience (such as risk assessments); however, it is worth acknowledging that those activities may need to be revisited and/or supplemented with additional activities to ensure they comply with regulators’ definitions of operational resilience.
For firms that may have already begun establishing the foundational components, below is a more in-depth graphical representation of the cyber and information security operational resilience program activities.
Please note that listed activities are common trends and that actual requirements will vary across organizations based on regulatory requirements and business type. This representation, in conjunction with regulations, can help an organization determine what is feasible and applicable for their programs.
Cyber & InfoSec Operational Resilience:
Foundational Components & Prospective Activities
How ACA Can Help
ACA Aponix® is ready to support organizations as they build their frameworks by offering best-in-class advisory services with seasoned cyber professionals who can bring not only their own expertise, but also best practices and insights from a vast peer network. ACA Aponix offers services to build comprehensive programs such as:
- Aponix Protect™ to build a comprehensive cybersecurity and technology risk management program tailored to your business needs.
- BIA and BCPs complete with robust policies, plans, and procedures to better protect your company from data breaches and efficiently recover from a cyber incident or significant business disruption.
- Risk assessments to identify and remediate gaps in a firm’s current cybersecurity and regulatory state, as well as figure out how a firm stands up against existing frameworks (SOC, PCI, NIST).
- Cloud assessments to determine whether a cloud environment is adequately protecting users, meeting compliance oversight obligations, and preventing data loss.
- Staff training and threat monitoring to educate on industry best practices, cyber trends, and emerging threats.
- Policy development to protect your sensitive data and critical systems, meet regulatory requirements, and set best practices into action.
- Incident response and tabletop testing to not only prepare for a cyber event but test a firm’s resiliency and response in the face of such an event.
- Third-party risk management and vendor due diligence to monitor, validate, and remediate the risks posed to firms by their relationships with third parties.
- Vulnerability and penetration testing to reduce the risk of financial, operational, and reputational losses that can result from a breach.
If you'd like to further discuss this article or learn more about how ACA can help your firm, contact our team here.
Stay tuned for the next part in this series, titled “Operational Resilience in Focus, Part Three: Exploring DORA & What the Financial Sector Needs to Know” in which we dissect the origins, requirements, and expectations of the European Union’s Digital Operational Resiliency Act.
Operational Resilience in Focus is a blog series dedicated to outlining the key components and tactics firms should consider when building out a resilient risk and compliance program. Subscribe to our weekly digest to receive our most recent insights each week and explore our cybersecurity and risk insights library for related articles, webcasts, and more.