Pub. 9 2019-2020 Issue 6

O V E R A C E N T U R Y : B U I L D I N G B E T T E R B A N K S — H E L P I N G C O L O R A D A N S R E A L I Z E D R E A M S May • June 2020 11 Steve Ward has more than 28 years of experience in the technol- ogy sector, 13 of which he spent working directly with community banks. He currently serves as CSI’s vCIO manager. In his role, Steve partners with organizations to understand their strategic IT objectives and makes recommendations that align with their business goals. processes and continuity. Institutions should develop a formal threat analysis to assess how a variety of risk factors, including regional location, terrorist plots and environmental factors, increase the likelihood of business disruption at each location. The frequency of such formal threat analyses should be determined by prevailing conditions: every 18 to 24 months when things are stable and 6 to 12months if change is occurring in any of the above factors. It is also important to conduct a formal threat analysis of your main location and disaster recovery sites and on any internal or external sites that house critical data and backups. Evaluating Cyber Insurance Options The FFIEC indicates that the primary objective of the risk management BCP phase is to identify, assess and reduce risk to “an acceptable level.” A key component of this phase is analyzing the adequacy of insurance coverage, which is especially important in digital environments. As some organizations have learned the hard way, general liability and other traditional insurance policies often do not cover business disruptions or data breaches as a result of cyberattacks. In 2018, the FFIEC issued a Joint Statement on Cyber Insurance and Its Potential Role in Risk Management Programs to call attention to this type of coverage, explaining that cyber insurance options vary but fall into two categories: special endorsements to traditional policies or standalone cyber policies. In addition, the FFIEC advises institutions to remember that most cyber insurance policies specify who is covered. Make sure to consider first-party coverage, which insures your institution against direct cyberattack expenses, and third-party coverage, which protects customers whose data is compromised and/or partners and vendors that house your data and experience a cyberattack. Testing Your Plan The last phase of your BCP process shouldn’t be overlooked, as testing your plan is integral to preparedness. Modern BCP narrows the scope of testing while increasing its frequency. It is now a best practice to conduct small, function-specific tests on a monthly or quarterly basis, starting with the most critical functions. By accumulating these tests over time, your institution will have a more accurate picture of your BCP’s overall effectiveness. The increase in flexibility and resiliency that testing provides, coupled with a robust infrastructure, goes a long way in weathering or outright avoiding many issues. Planning for a Pandemic Pandemics are about people. They are, by their nature, an HR issue more than a technical one. Technology is merely a facilitator, and most of the tools and means of mitigating pandemics need to be built out in advance of the incident. Nevertheless, when a pandemic hits, it presents unique challenges to financial institutions and continuity planning. When planning for a pandemic, remember the importance of flexibility, as your institution will likely have to adapt to new information and mitigate evolving risks. The FFIEC recommends financial institutions consider including the following in a pandemic plan within their BCP: • A program to ensure continuity of services that includes monitoring of outbreaks, development of communication plans for employees and third- party service providers, procurement of supplies for appropriate hygiene, etc. • Strategies that provide for scaling of the institution’s pandemic efforts, including plans for preparation for one or more potential following waves. • A framework for systems and procedures that allow the organization to continue its operations if essential staff members are unavailable to work, including work-from- home policies, and redirecting customers to electronic banking services or alternative operations sites. • A testing program focusing on procedures to ensure continuity of critical operations and services. As the recent COVID-19 outbreak has shown, business disruptions can occur quickly and without much warning. So, it is in the best interest of your institution to be prepared with an effective BCP. n The frequency of such formal threat analyses should be de- termined by prevailing condi- tions: every 18 to 24 months when things are stable and 6 to 12 months if change is occur- ring in any of the above factors.