The financial world took notice in summer 2018 when the Bank of England and the U.K.’s Financial Conduct Authority directed that nation’s financial services firms to formalize plans for handling a business outage that results from systems failure or deliberate attacks.
Much of the impetus for that move stemmed from concerns over the rising number of cyberattacks directed at financial institutions, attacks that can slow down or grind online financial services to a halt. As part of the U.K. directive, firms were also required to demonstrate more resilient disaster recovery and business continuity plans.
In the United States, a new set of cybersecurity regulations from the New York State Department of Financial Services requires banks and other financial institutions to develop a DR and business continuity plan as part of a more comprehensive cybersecurity program. The Federal Financial Institutions Examination Council also outlines guidance for DR and business continuity in its IT Examination Handbook.
Christophe Bertrand, senior analyst for data protection at the Enterprise Strategy Group, and Phil Goodwin, a research director in IDC’s Storage Systems and Software research practice, recently spoke with BizTech and offered several best practices for institutions embarking on their own DR plans.
“Financial institutions, by definition, are sensitive to data loss as it can represent significant amounts of money very quickly should a key transactional system become interrupted regardless of the reason,” Bertrand says.
Still, in most cases, continuity of operations best practices tend to apply across the board, not just to one segment such as banking, Bertrand points out. ESG research has found that most companies have very little tolerance for downtime, with a majority of organizations reporting a tolerance of less than one hour of unavailability.
5 Ways to Get Started With DR Planning
1. Start with a comprehensive threat analysis. Outside of hackers and outright systems attacks, many threats are regional in nature, such as earthquakes and hurricanes. Others are location-specific, for example an airplane or train crash. But most disaster failovers result from more mundane issues such as a data center fire, broken water pipes or power failure. Analyze all potential threats and understand what the business can tolerate when it comes to downtime and data loss.
2. Assess the technology required. Leverage the high-availability capabilities of storage, operating systems, hypervisors and applications. Specialized DR solutions may also help. High-availability can minimize or negate downtime.
3. Closely manage access controls and security. Only allow authorized employees or contractors access to manipulate backup processes or recovery efforts.
4. Run frequent tests. Conduct regular if not continuous data recovery exercises. In today’s business environment, applications change constantly, so it’s important for organizations to run continuous tests to ensure they can recover mission-critical data should an outage occur.
5. Plan for the possibility of long-term failover. Keep in mind that many companies ran on their DR sites for up to year after the Sept. 11, 2001, attacks. Such a catastrophe could happen again, and all business and financial institutions should prepare.
Banks should also understand that DR or continuity of operations planning requires involvement from "the classic triumvirate of people, process and technology" — each must be addressed through DR planning, IDC’s Goodwin says.
“It is critical that IT and business units work together for DR planning,” Goodwin says. “Don’t look at DR as an event; it is part of total application availability.”