Regardless of the size of your organisation, it’s inevitable that – at some point – a few bad things will happen. You will be the target of a cyber-attack. Your systems will experience a failure. You will have a data breach.
This isn’t fearmongering. Whether you’re a single-handed IFA practice, or a large organisation, a ‘critical event’ is something all modern businesses should expect.
But that doesn’t mean you and your firm are powerless to do anything. Prevention should be a key part of your operational resilience strategy without a doubt. But it’s even more important to use the critical events that do happen as an opportunity to respond, recover and learn.
Why does this matter? Operational disruption and cyber-crime are not only a pain for your business, causing outages and breaches you need to fix on the fly, they are also very likely to harm your clients.
If these incidents are not managed well, if you don’t learn your lessons for next time (and there will be a next time), you may lose the confidence and loyalty of your clients, directly impacting your bottom line.
Not just an IT issue
Crucially, ensuring operational resilience is not necessarily an IT responsibility. It is a priority for the FCA, as evidenced in its 2019/2020 business plan, and earlier surveys and discussion papers. Subsequently, operational resilience should be a priority for every business, implemented from the highest levels and overseen by those responsible for compliance.
Getting your house in order
One of the greatest vulnerabilities for financial advisers is the use of third-party providers and a lack of a comprehensive cyber strategy. When it comes to operational resilience, prevention and preparation is the best way to tackle these weaknesses. You need to protect the perimeter of your systems, assets and networks.
Cyber-criminals will be able to easily exploit vulnerabilities in your systems – vulnerabilities caused by a lack of understanding, and a failure to record key assets, services and third parties.
Therefore, it’s essential to truly get to the bottom of the systems you use and how they impact business resilience, service continuity and customer outcomes.
Tackle this housekeeping in five steps:
1. Know your assets
It’s likely that you have a general understanding of the information assets your organisation holds. You probably have a vague knowledge of the third parties you use. But this all changes frequently, often without adequate assessment of the vulnerabilities of the systems, networks and assets.
Conduct an audit and log the data in an all-encompassing register making sure this information is up-to-date and complete. In particular, you should identify who within the third parties has access to your systems and data and how this could be restricted.
2. Appreciate the business impact
Plenty of firms do not fully appreciate the sensitivity of their information assets, and just how critical these are to the continuity of business services.
Your audit should cover how these assets and systems are used within business services and the impact of failure if they aren’t adequately protected.
3. Assess the customer impact
Are you assessing the risk that failure could have on your clients?
Your audit should include an assessment of how systems outages and breaches will influence your clients’ ability to access and use your services.
4. Develop protective measures
Organisations can neglect to upgrade or replace their information assets in good time, particularly at the end of their usable life. They also often fail to carry out any added risk management practices while assets are replaced.
Cyber-criminals often access systems by exploiting unaddressed vulnerabilities in unsupported assets. You need to understand the impact of cyber-crime and systems failures on both your operations and your customers, responding with effective, risk-based preventative measures.
This should include scenario planning, penetration testing and stress testing to ensure the measures you put in place are as robust as possible.
5. Regularly review
Although some firms regularly review their assets, networks, systems and third parties to identify those reaching the end of their life, they often don’t carry out a complete or continuous review. In some cases, the review may only be done periodically on a manual basis.
You should review periodically with an annual audit and also put processes in place that ensure the record is kept continually updated as assets change over time.
So, now might be time for a spring clean. For many firms this will be a long and complex process combining people from across the business, for smaller businesses it could be completed by one person. Either way, conversations should be happening at the very highest levels in each organisation to make sure this is an ongoing priority, as it certainly will be for the regulator for the foreseeable future.
Don Scott is technical director at TCC