Preparing For the Next Global Outage: Review Your Business Continuity Plan

The July 18 widespread technology outage and recent cybersecurity incidents, such as the CDK breach, impacted various industries. It’s a good time to highlight the importance of your business continuity plan, including vendor management, incident response, disaster recovery, and patch management programs.

Some industries have a higher cybersecurity risk profile because of the service they provide or the information they possess. Those that play critical roles in infrastructure and finance are often targeted by bad actors through cyberattacks — however, any organization can become a victim. Companies that depend on technology and other “online” services also can be downstream victims of these and non-cyber related scenarios.

Financial institutions often targets of cyberattacks

Banks and credit unions increasingly depend on external vendors beyond their core providers and loan origination systems to provide critical services to their customers and communities.

To protect institutional and customer information, there’s a heavy reliance on specialty vendors for critical functions to maintain the expected privacy and necessary compliance. When everything works, it’s great, but when issues arise and root cause analysis is conducted, the “blame game” can start.

When systems go down or are inaccessible, there’s often an assumption of a cybersecurity breach, leading to questions like “Was my personal data compromised?” Being able to answer this is crucial for maintaining customer trust. While the CrowdStrike outage incident was not cyber related, the impact was similar.

Your customers and members don’t care who’s at fault or if you’ve averaged a historical 99% uptime — they care about when you’ll be back up. Answering these questions effectively requires practice, hoping you’ll never need it. Verifying you are doing what you say, and saying what you do, is critical.

Prepare for the unexpected: incident readiness checklist

Your institution must be ready before the next incident. Review your processes to look for opportunities to improve — practices that apply to organizations across all industries.

Vendor management program

• Identify critical vendors (those with critical data and services that, if down, would impact your institution’s ability to serve customers).
• Affirm vendor contacts are current.
• Verify the data and services each vendor provides and who is accountable for the relationship at your organization.
• Perform annual reviews of key outages (or fourth parties they rely on) to provide services to you.

Incident response and disaster recovery programs

• Review these programs at least annually and update them as your organization changes.
• These are not IT-only programs — management and board of directors must be involved and accountable.
• Conduct tabletop tests on various scenarios, document gaps, and adjust plans.
• Confirm scenarios are realistic and reflect the true impact on the organization and customers.
• Verify communication and notification plans are sound and address how you communicate with employees, customers, and any relevant agencies.
• Develop manual procedures to serve your customers and employees if technology is down and confirm what transactions can be run in “offline” mode.

Patch management program and software or hardware updates

• Review your program against the Federal Financial Institutions Examination Council’s Architecture, Infrastructure, and Operations handbook for any adjustments to current standards or recommendations.
• Have a backout or rollback plan for any software or hardware updates — if an update doesn’t go as planned, confirm you can revert to the original state to reduce downtime.
• When possible, use development or testing environments for critical systems to help reduce production outages during updates.

Supply chain risk considerations

One area you might not relate to an outage is around supply chain management risk. With its significant complexity, review steps you can take to identify, assess, and navigate supply chain risks using a comprehensive and systematic approach.