Cybersecurity is a key component of an effective operational resiliency program, further underscored by the widespread shift to remote work in the current crisis environment. Technology is the platform upon which all financial institutions are based; therefore, maintaining internal and external security and privacy over this technology is imperative to the institution’s functions.
A post-crisis review should include the following steps:
- Reassess compliance with the cybersecurity and privacy frameworks leveraged by the organization to ensure that the necessary legal, regulatory, and security requirements are being met in the “new normal” operating environment. If malicious activity was uncovered, ensure that lessons learned are collected and standards and frameworks are updated to include this new input.
- Evaluate the use of any external information exchanges (such as client portals) for the presence of vulnerabilities or misuse. Clients may have accessed accounts and information using less secure networks or machines than they normally would have, which increases the risk of malicious actors gaining access.
- (Re)assess the use of any new or existing tools or applications that facilitate remote work to ensure that they meet organizational security baselines. Some tools may have been hastily implemented without full IT vetting while others, such as widely used collaboration tools, may have exposed the organization to previously unknown vulnerabilities. Both new and existing tools should be reviewed and assessed post-crisis to ensure they meet organizational security baselines.
Some less mature financial institutions utilize their cybersecurity program as their operational resilience program. While this is not best practice (and will not pass regulatory scrutiny), it highlights how critical cybersecurity and privacy plays in an effective operational resilience program, and consequently why it is essential to understand its post-crisis effectiveness.
Now that your organization has reassessed your cybersecurity function, we will next look at performing a post-crisis reassessment of the data management and governance capabilities as part of your operational resilience program.