The Unique Business Continuity and Recovery Needs of FinServ Organizations
As cyberthreats go, notes Scott Spatz, Cooperative Systems partner and President, FinServ companies are among the top targets out there.
“Because of that, you need to be on your data and system security game at all times,” he says. “You need to have a thorough, well-designed technology plan and program in place to properly secure and manage your technology and your business. Beyond your plan, you need to have controls in place that help you quickly identify if and when your technology environment is compromised and that quickly help you mitigate those issues.”
On top of that, FinServ organizations have regulatory and compliance needs that are tougher to meet than most businesses. If that’s not challenging enough, they need to consistently innovate with technology to serve customers in a hyper-competitive vertical.
With all that in the balance, FinServ organizations clearly need a higher level of “fail-safe” protection, which puts their backup and disaster recovery (BDR) plan in the spotlight.
A Range of Safeguards
Because FinServ companies are already regulated entities, compliance needs can sometimes dictate data security backup needs and other steps.
“Your BDR needs to account for a number of different things,” says Spatz. “First, you need to be able to safeguard your data and restore it should you be compromised or data got deleted or lost. That’s one component. Systems availability is another. Getting your systems back up and running in the case of an incident or an issue—fire, flood, or something else—is critical.”
That then takes into consideration the applications you use day in and day out. Where are they hosted? Are they hosted internally or are they cloud-service-provider hosted? This then brings up the issue of third-party risk management, because you need to vet the business continuity plans of your third-party service providers in those cases.
As with any organization’s BDR plan, whether regulated or not, there are several common considerations. If you had a disaster of some sort, how would you continue your operation, potentially from an alternative location? Do you have devices and equipment that you can utilize to continue your operation from another location and how? What do your staff do in the event of an issue? How do you communicate with your staff and customers? What do you expect your staff to do and when and how and from where? What happens if your lines of communications are down, and what are your backup lines of communication? Do you have a formal incident response plan?
“You also need to consider your tolerance for downtime,” Spatz says. “How long can you be down for without disrupting product or service availability to your customers before it significantly impacts your reputation and your ability to continue to service them going forward?”
The key points in the case of downtime are recovery time objective (RTO) and recovery point objective (RPO).
RTO concerns how quickly you can recreate data should an incident occur. In that case, can you afford to lose 15 minutes of data, an hour of data, half a day’s data, a day’s data? How long would it take to recreate that data? What would the impact be for customers?
RPO is the maximum amount of data—as measured by time—that can be lost after a recovery from a disaster, failure, or comparable event before data loss will exceed what is acceptable to an organization.
“For financial institutions, in particular, whose individual and commercial customers expect absolute data protection and 24-hour access, tolerance in either case is pretty much zero,” Spatz says, “so a BDR plan needs to be built around being operational almost immediately after any incident.”
The Role of Core Service Providers
Another facet of financial institutions’ BDR plan needs are core banking activities serviced by organizations referred to as “core service providers.”
“The financial services themselves and the technology systems that the financial institution operates typically supplement the products or services that the core banking application doesn’t,” explains Spatz. “So, there are other products or services that the individual financial institution may provide to their customers that aren’t core banking activities.”
Generally, there are a handful commonly used core service providers in the banking and credit union space. They have all the safeguards in place to maintain the integrity of the data and availability of the data from a banking perspective.
“In terms of third-party risk management, incident response and disaster recovery plans don’t need to have core banking components built into them, but you should still be aware of your core service provider’s BDR plans,” he says. “If they’re hosting a core application of yours and they have a failure, an outage, or an incident of some sort, what is their BDR plan on your behalf? Your BDR plan has to encompass any third parties that make up product or service availability for your customers and your staff. Then there are business continuity aspects as it relates to your office space, your building, and your equipment—even beyond your technology.”
Contact us to learn how Cooperative Systems can help your FinServ firm develop a BDR plan that meets your specific needs.