Operational resilience has emerged as a key area of focus for supervisory authorities and financial institutions. As the financial services sector continues to experience cyber incidents impacting multiple firms, 政策制定者和机构在问: How does my organization rapidly and safely recover from a cyber incident?
相关内容:回顾2023年网络安全前景
同时, the financial services industry continues to undergo significant 技术 modernization providing new products and enhancing or expanding existing offerings. 考虑到这一景观, 新兴技术提供了新的资金来源, expanded financial services to unserved and underserved communities, increased credit and lending opportunities for small and medium businesses, 并允许新的市场进入者. These advancements have also lengthened the supply chain used to deliver financial services and have contributed to the growing interconnectedness of the financial markets which could also introduce new risks.
To address growing cyber threats and their potential impacts on a significantly interconnected financial services sector, 金融当局已经与标准组织合作, 金融行业vnsr威尼斯城官网登入, and institutions to develop a framework that enhances the industry’s preparedness for material operational events. As an example of the industry’s resilience partnership efforts, the Digital 操作弹性 Act (DORA) represents a major step towards defining minimum controls and capabilities in the areas of cyber and ICT third-party risk management across the European Union and will help financial institutions strengthen their control in a core pillar of operational resilience. While DORA represents a significant and positive step forward, financial firms must realize that resilience is not solely an extension of business continuity or the result of strong IT and 网络安全 controls.
“Financial firms must realize that resilience is not solely an extension of business continuity.”
Business continuity and 技术 implementations support the delivery of resilient operations, with business areas playing a pivotal role in the delivery and sustainability of resilience across a number of functions. There are three (3) key pillars in firm’s resilience frameworks where the level of business engagement is particularly important.
关键操作映射
第一个, financial institutions must document and agree a consistent view of the people, 流程, 技术, 第三方需要提供关键的操作. Institutions rely on different business areas to deliver products and services, with each area having its own view on how products and services are delivered based on their responsibilities. 因此, 获得依赖关系的准确视图, 在函数, will require each group to validate its role in the delivery of services. These business maps will assist organizations with understanding the true impacts of a material operational event and the potential cascading effects to other critical operations.
桌面演习
Second, no financial institution wants to experience an operationally impacting incident. 然而, experiencing these events without the benefit of previously exercising an organizational response only serves to increase the severity of the impact. Tabletop exercises should facilitate the business’ thought process around decision-making, decreasing the operational friction that may arise when an incident occurs. 进一步, these exercises help the business understand where recovery is within tolerance and where additional capabilities may be required.
能力建设
第三, the development of new capabilities is at the heart of any resilience strategy and separates resilience from risk management. Building capabilities requires business areas’ support to drive integration and to validate and test solution effectiveness. 通过建立能力, firms can close the loop and bring the business within its tolerance for disruption for certain extreme but plausible events while providing reasonable assurance for rapid and safe recovery strategies.
弹性比业务连续性更广泛, 网络安全, or IT solutions and more important than ever as the cyber incident and 技术 landscape continues to evolve. The successful delivery of threat impacts to business operations, 确定当前应对这些影响的能力, and gain the business insights necessary to build new capabilities and enhance existing 流程.
Institutions relying solely on IT or business continuity to deliver on operational resilience may ultimately find themselves ill-equipped to execute on their resilience expectations.
It is incumbent on financial institutions to develop the governance models necessary, 在整个组织中, to deliver on resilience for the benefit of the individual firm and the entire financial services sector.
本文最初发表于 查看EUROFI杂志 2023年4月.