Disaster Recovery and Continuity Planning for Online Mayhem

Analyst: Bill Bradway

March 11, 2010

Over the past 15 years, we all recognize that the role of the Internet has expanded dramatically for a wide range of industries including the financial services industry. Internet standards have become widely accepted and the prior generation’s mix of proprietary network infrastructure solutions has been, or soon will be, replaced by Web compatible technologies. Physical terrorism and/or tragedy, such as the 911 attack on the World Trade Center or Hurricane Katrina, significantly disrupted trading and banking activities. After the fact, some financial institutions had to make major revisions to their disaster recovery and continuity (DRC) plans. For example, most NYC based financial institutions implemented their revised plans within a year.

During the past decade, nary a month goes by without a notable cyber attack that affects the Internet, causing outages or systematic stress. Banks are often the target of these attacks because of their intricate role in payment processing and financing. Cyber thiefs/hackers have become increasingly sophisticated in designing and launching attacks. Attacks can take a variety of forms: cyber-identity theft, denial of service outages aimed at specific websites, hard to detect and remove viruses that cripple servers and workstations, and cyber-fraud transactions to name a few.

On March 9th, federal and state investigators announced they have cracked a sophisticated cyber facilitated fraud operation in the Minneapolis – St. Paul area. Identity thefts are being used to raid bank accounts and run up credit card bills. So far, investigators estimate the fraud operation has about 200 members just in the Twin Cities area. Social networking sites are among the prime venues the fraudsters use to capture identity data. Investigators have indicated the operation extends to West Africa and Eastern Europe. In this case, many institutions, both local and national, have become victims along with their customers.

My experience indicates that everyone in bank management, especially the CEO, COO, CFO, CIO, and head of internal audit, and the bank’s critical IT vendor(s) are committed to having a well constructed DRC plan. DRC plans are typically reviewed regularly by auditors and the bank’s primary regulator. And, the bank’s board of directors is briefed on the DRC plan periodically. Unfortunately, substantial DRC revisions are often made after a Katrina or a massive earthquake.

If a bank management team has not already done so, the DRC plan should include an analysis of how to operate if cyber DRC events impact the bank, its important BankTech vendors, or the banking payments infrastructure. A cyber fraud that can escalate into the $ millions should be treated by bankers as a disaster. In the case of a cyber DRC event, figuring out how to respond quickly, communicate effectively, and maintain a modified level of business activity is worth addressing before the event even happens. The cyber DRC event plan should be updated whenever a new type of attack occurs anywhere a bank is affected.

During my Navy days aboard a destroyer, the Captain would schedule, often with no advance notice, DRC drills, such as man overboard, battle stations, and fire in compartment X to make sure the entire crew was capable of correctly handling the event, sometimes using a stop watch to measure the crew’s response time. The military survives and succeeds by planning and training for these events – their lives depend on doing it right every time. Bankers and their key BankTech and Payments vendors should take the same approach to planning and training for all types of DRC events, including cyber events. In a 24/7 world, a bank’s operations, marketplaces, and potentially the broader economy can be seriously disrupted if there is no plan or if it has never been tested.