Community Bank Auditors Group Taking Your Business Continuity Plan To The Next Level June 9, 2015 By: Tracy Hall MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C.
Agenda Taking your Business Continuity Program to the Next Level Statistics and Recent Disaster Events Regulatory Guidelines / Latest Updates BCP Contents Other Considerations / Lessons Learned 2
Not So Fun Facts A 2012 Survey showed that the Top 4 causes of downtime that year were: Hardware Failure 55% Human Error 22% Software Failure 18% Natural Disasters 4% Don t Let The Door Hit You 40% of business severely compromised by a disaster go out of business within 6 months 90% of businesses that are down for 7 days do not reopen Cost of Not Being Prepared: Of businesses that experience a major loss of data without a plan: 51% close within 2 years 43% never reopen 6% survive long-term 3
Increased Scrutiny It is no longer sufficient to point to the Large Book on the shelf 4
Recent Events Changes in preparedness and scrutiny by regulators and examiners began after 9/11 & Katrina and continue to increase with each incident. Hurricanes Irene & Sandy Winter 2011 Blizzard The East Coast Earthquake Tornadoes and thunderstorms Boston bombing 5
Regulatory Guidelines FFIEC Revised Guidelines on BCP 2008 http://ithandbook.ffiec.gov/it-booklets/business-continuity-planning.aspx SEC Risk Alert - 2014 http://www.sec.gov/about/offices/ocie/business-continuity-plans-risk-alert.pdf FFIEC Appendix J 2013 http://www.ffiec.gov/press/pdf/ffiec_appendix_j.pdf 6
FFIEC Guidelines 2008 Revision Board and Senior Management Responsibilities Executive Overview of the BCP Process Board of Directors responsibility Business Continuity Planning Process Enterprise-wide approach to planning Business Impact Analysis Define critical functions Impact to business if those functions were interrupted Resources required to support those functions Critical Timeframes to Recover Risk Assessment What threats could possible impact your operations? Where are your vulnerabilities? Risk Management Implementing Controls Developing a sound BCP Implementing a reliable Recovery Strategy Risk Monitoring Testing Maintenance Other Policies, Standards, and Processes Vendor Management Pandemic Planning 7
Sample BCP Contents Introduction Executive / Policy Statement Scope/Purpose Assumptions Incident / Scenario Descriptions Command Centers and Contingency Sites Incident Response Risk / Threat Assessment 8
Sample BCP Contents Business Impact Analysis BCP Teams Disaster Recovery / Technology Recovery Restoration Awareness and Training Maintenance Testing Pandemic Plan Appendices 9
FFIEC Guidelines 2015 Update February 2015: Appendix J: Strengthening the Resilience of Outsourced Technology Services Result of increasing dependency on outsourced technology providers for critical systems and infrastructure Four Specific Areas 10
FFIEC Guidelines 2015 Update Third Party Providers More and more processes are outsourced; must consider vendor response and recovery plans Ask for detailed SLAs Widespread regional events have identified issues with suppliers Contingent business interruption loss: A loss that a business suffers as a result of damage to other property that prevents one of the suppliers from providing goods and/or services to the business, or that prevents the business customers from accepting goods and/or services from the business. 11
FFIEC Guidelines 2015 Update Area One Third-Party Management addresses a financial institution management s responsibility to control the business continuity risks associated with its TSPs and their subcontractors. 12
FFIEC Guidelines 2015 Update How To Prepare Third-Party Management Validate that third party resilience considerations are part of your vendor management program, including due diligence, contract negotiations and ongoing monitoring. Evaluate the use of subcontractors by your TSPs. Ensure TSPs are reviewing their subcontractor s business continuity plans. 13
FFIEC Guidelines 2015 Update Area Two Third-Party Capacity addresses the potential impact of a significant disruption on a third-party servicer s ability to restore services to multiple clients. 14
FFIEC Guidelines 2015 Update How To Prepare Third-Party Capacity Ensure that your TSPs have adequate planning and testing strategies to support multiple clients in a regional event. Identify a comprehensive set of alternative resources to provide services in the event your TSPs are unable to recover from a wide-scale disruption. 15
FFIEC Guidelines 2015 Update Area Three Testing with Third-Party Technology Service Providers addresses the importance of validating business continuity plans with TSPs and considerations for a robust third-party testing program and including third party providers in the client s testing. 16
FFIEC Guidelines 2015 Update How To Prepare Testing with Third-Party Technology Service Providers Participate in BCP testing with TSPs, whenever possible. If not possible, review TSPs test results, remediation plans and status reports on their completion. Identify any gaps following testing. Draft a plan to ensure all gaps are addressed. 17
FFIEC Guidelines 2015 Update Area Four Cyber Resilience covers aspects of BCP unique to disruptions caused by cyber events 18
FFIEC Guidelines 2015 Update How To Prepare Cyber Resilience Ensure that Cyber threats are addressed in the BCP Risk Assessment. Validate that TSPs have an up-to-date incident response plan. Ensure the plan is periodically tested. Research and identify third-party forensic investigators that may be required following a cyber incident. 19
Other Considerations / Lessons Learned Executive Oversight FFIEC guidelines require annual signoff on the BCP by Board of Directors Ensuring a sufficient plan is in place Allocating responsibility of the plan Plan must be reviewed and updated at least annually Employee awareness Testing Supporting any actual recovery effort 20
Other Considerations / Lessons Learned Enterprise Wide Approach to Planning BCP is no longer an IT driven initiative FFIEC guidelines call for a business driven recovery plan 21
Other Considerations / Lessons Learned Scenarios Examiners are looking for responses to a wider range of possible scenarios Considering multiple scenarios while still focusing on worst case How do we avoid the vicious What If cycle? How do you determine worst case? 22
Other Considerations / Lessons Learned Incident Response Cross referencing communication and escalation procedures Media/External Communications, including customers Employee meeting areas Incorporating public sector and local authorities as necessary Ongoing communications during an event 23
Other Considerations / Lessons Learned Communications Plans Identify methods of communicating to employees, clients, etc. throughout the incident, not just at the onset Develop a procedure for communicating prior to incidents that have warning Ensure the plan adequately identifies who is responsible for what, including internal and external communications 24
Other Considerations / Lessons Learned Business Impact Analysis (BIA) Is this business driven? Identifying MAD, RTOs, & RPOs for critical processes and systems Helps determine recovery strategy Do they coincide? Prioritizing processes and resource requirements into more condensed, well defined RTOs MAD= Maximum Allowable Downtime RTOs= Recovery Time Objective RPOs= Recovery Point Objective 25
Other Considerations / Lessons Learned Recovery Reality How realistic is your recovery strategy? Have you tested that your recovery strategy supports the business critical RTOs and RPOs? Is your DR site equipped with the appropriate requirements? How often is this reviewed? Are changes to business incorporated? 26
Other Considerations / Lessons Learned Alternate Site Selection Geographic Diversity Accessibility Vulnerabilities 27
Other Considerations / Lessons Learned Telecommunications Services and Technology Consider multiple providers Considerations for cloud computing Evaluate working from home as an option in such an event Testing of backup/redundant servers UPS and generators for critical systems Elevating technology equipment to avoid flooding damage 28
Other Considerations / Lessons Learned Granularity More detailed Action Plans at the department level, especially focusing on the initial phase of incident response 29
Other Considerations / Lessons Learned Testing Requirement for more dynamic testing Different types of exercises More frequent tests that are smaller in scope can make testing more manageable Incorporating user community 30
Other Considerations / Lessons Learned Awareness & Training How often are employees made aware of plan details? Do employees understand their role in the BCP? 31
Other Considerations / Lessons Learned Adequate Business Interruption Insurance Understand the cost of downtime to determine adequate amount of coverage. This should include costs related to the recovery effort as well. Understand the contingencies for being able to collect the insurance are there things you are required to do or not to do in order to collect? Contingent Business Interruption coverage Is this included in your policy? Request Certificates of Insurance from providers and suppliers 32
Other Considerations / Lessons Learned Regulatory and Compliance Considerations Incorporate any regulatory changes/updates into the BCP Consider time sensitive regulatory requirements while planning and consider investigating procedures for requesting reporting extensions prior to an incident 33
Other Considerations / Lessons Learned Incorporating BCP into every day business Considering how changes to the business affects your BCP is essential to ensuring your BCP stays current and sufficient Personnel changes- growth System/Application changes consider redundancy in budget Vendor/Provider changes Other technology changes New and updated policies and procedures Audit Feedback 34
Bringing The BCP To The Next Level Automation Automating the Business Continuity Program has several benefits Access Security Central Repository Distribution of Ownership Streamlined Maintenance Version Control etc. 35
Conclusion 36
Thank You Tracy Hall, MBCP IT Assurance Manager 413-726-6884 thall@wolfandco.com 37