Data Breach – An Unprepared Company

QUESTION 

We were just hit with a data breach and were completely unprepared for it. Hackers took personal information from our corporate server. We believe that customer information was stolen. The hacker also went after our website, meaning information there may be exposed. 

Our Business Continuity policy is all of two pages. We put it together by pasting it from a few Google searches. You may think we are a small mortgage lender, but we have branches in eight states and originate a large volume of mortgage loans. 

We have already alerted law enforcement. We are working on a quick plan to notify investors and customers. But we have no process to follow for this data breach. We're working without a guide. 

All of us in management know you have written a lot about issues like ours. Please help as soon as possible. 

What should we do immediately if we are hacked? 

ANSWER 

NOTE: This article provides links to subject articles, presentations, and a complimentary Data Breach: Quick Reference Checklist. 

As many of you know, I am like a Mother Hen regarding our clients, always looking to protect them. And through these weekly newsletters, I try to ensure our readers are made aware of regulatory compliance challenges. However, some readers ignore my advice, one of which is the importance of having a policy for Business Continuity. 

Our Business Continuity plan is comprehensive. We believe it meets regulatory scrutiny; however, I don't care if you want ours or another firm's policy. Assuming the policy is reliable, get it and implement it! If you are not operating with a plan, your company is unprepared for a data breach. Also consider our mini-audit, BCP Tune-up, which provides a review of your Business Continuity plan and procedures.

For information about our Business Continuity Plan, click HERE.

For information about our BCP Tune-up, click HERE.

Here are just some articles I have published on Business Continuity: 

·       Disaster Recovery and Business Continuity

·       Cybersecurity Rule – Proposed Updates

·       Ransomware Payments

·       Prohibited Acts and Practices

·       Large Bank Cybersecurity Challenges

·       UDAAP Violations caused by Insufficient Data Protection

·       Mother of All Computer Bugs

·       Phishing Scams

·       Intrusion Detection Terms 

As Falstaff said, "Better three hours too soon than a minute too late." 

Don't delay. Procrastinate at your peril! 

Let's turn to the situation you find yourself in, to wit, a data breach and no plan for Business Continuity, which should include a Disaster Recovery component. 

If your company experiences a data breach, you should notify law enforcement, other affected businesses, and individuals. Since I do not know your company's size, complexity, or risk profile, my remarks are necessarily generic. 

However, I will provide a bulleted outline so you can act promptly. 

Request the complimentary Data Breach: Quick Reference Checklist. 

Evidence

·       Do not destroy evidence.

·       Don't destroy any forensic evidence in the course of your investigation and remediation.

·       Document your investigation. 

Immediate Response

·       Secure physical areas potentially related to the breach. Lock them and change access codes.

·       Mobilize your breach response team right away to prevent additional data loss. The exact steps to take depend on the nature of the breach and the structure of your business.

·       Assemble a team of experts to conduct a comprehensive breach response. Depending on the size and complexity of your company, they may include forensics, legal, information security, information technology, operations, human resources, communications, investor relations, and management.

·       Identify a data forensics team. Consider hiring independent forensic investigators to help you determine the source and scope of the breach. They will capture forensic images of affected systems, collect and analyze evidence, and outline remediation steps.

·       Consult with legal counsel. You may consider hiring counsel with privacy and data security expertise. They can advise you on federal and state laws that a breach may implicate. 

Stop Data Loss

·       Take all affected equipment offline immediately — but don't turn any machines off until the forensic experts arrive.

·       Closely monitor all entry and exit points, especially those involved in the breach.

·       If possible, put clean machines online in place of affected ones.

·       Update credentials and passwords of authorized users. If a hacker stole credentials, your system will remain vulnerable until you change those credentials, even if you've removed the hacker's tools. 

Remove Web Vulnerability

·       Your website – If the data breach involved personal information improperly posted on your website, immediately remove it. Be aware that internet search engines store, or "cache," information for some time. You can contact the search engines to ensure that they don't archive personal information posted in error.

·       Other websites – Search for your company's exposed data to ensure no other websites have saved a copy. If you find any, contact those sites and ask them to remove it. This applies to websites operated by your company's loan officers and agents. 

Interviews

·       People who discovered the breach should be interviewed.

·       Talk with anyone else who may know about it. 

·       If you have a customer service center, ensure the staff knows where to forward information that may aid your investigation of the breach. 

Service Providers

·       If service providers were involved, examine what personal information they can access and decide if you need to change their access privileges.

·       Ensure your service providers take the necessary steps to ensure another breach does not occur.

·       If your service providers say they have remedied vulnerabilities, verify that they fixed things.

Cybersecurity Rule – Proposed Updates

QUESTION

Our Cybersecurity Policy is a good one. I know this because we have had an examination, and the regulator approved it. 

Although we are a mid-west company, I notice that New York requires an update to its cybersecurity rule. That makes me nervous since New York’s cybersecurity requirements influence many states. 

I want to update our Cybersecurity Policy to reflect New York’s requirements. Sooner or later (probably sooner), our state is going to adopt the same requirements. 

What are the new Cybersecurity Policy requirements in New York? 

ANSWER

New York’s Department of Financial Services (DFS) has been quite active in requiring its licensees to comply with its Cybersecurity Rule (“Rule”). Effective March 1, 2017, the DFS promulgated a regulation[i] implementing the Rule. 

I published a White Paper about the Rule in advance of its effective compliance date, entitled 

Cybersecurity Guidelines – "First-in-the-Nation" Regulation. 

You’re welcome to download it HERE. 

From its inception, the DFS requires individuals and entities to comply with the Rule. These are called “Covered Entities.” A Covered Entities include, but are not limited to, partnerships, corporations, branches, agencies, and associations operating under, or required to operate under, a license, registration, charter, certificate, permit, accreditation, or similar authorization under the banking law, the insurance law, or the financial services law. 

I agree that the DFS influences other state banking departments vis-à-vis cybersecurity regulations. Now, the DFS is proposing to update the Rule.[ii] So, it’s a good time to anticipate policy and procedure revisions. Even if the proposed Amendments (“Amendments”) are not adopted in full or at all, given the rapidly evolving cyber threat landscape and, in particular, the growing prevalence of ransomware incidents, many aspects of the Amendments reflect Best Practices. 

Some of the proposed changes are rather significant. For instance, the updated Rule will have such requirements as a mandatory 24-hour notification for cyber ransom payments, heightened cyber expertise requirements for board members, and new access restrictions to privileged accounts. 

I will provide a brief summary of the proposed updates. Covered entities should monitor whether the DFS formally proposes amendments to ensure they are equipped technically, organizationally, and financially to meet the heightened governance, technical, and notification obligations. 

Notification Obligations 

The Amendments will create new requirements to notify the DFS of certain incidents. Specifically, there will be a requirement to notify the DFS within 72 hours of any unauthorized access to privileged accounts or deployment of ransomware within a material part of the covered entity’s information systems. 

Furthermore, covered entities will be required to notify the DFS within 24 hours of a covered financial institution making a ransomware payment connected to a cybersecurity event; additionally, there will be a requirement to provide the DFS within 30 days with an explanation of (a) why the payment was necessary, (b) whether alternatives were considered, and (c) what sanctions diligence was conducted. 

Risk Assessments 

There are risk assessment requirements under the current Cybersecurity Rule. Under the Rule, a covered entity must conduct a periodic risk assessment of its information systems “sufficient to inform the design of” its cybersecurity program required by the Rule and must update the risk assessment to address various changes, developments, and threats. The Amendments will expand upon the Rule’s definition of a “Risk Assessment” and more clearly articulate that an assessment must “take into account the specific circumstances of the covered entity.” And the Amendments also would clarify that a covered entity’s risk assessment must be updated at least annually or whenever a change in business or technology “causes a material change to the covered entity’s cyber risk.” 

Heightened Monitoring 

The Amendments will add several new monitoring requirements to the Rule, including:

 

·     Completion of an asset inventory that tracks information (e.g., owner, location, classification or sensitivity, support expiration date, and recovery time requirements) for each technology asset (e.g., hardware, operating systems, applications, infrastructure devices, APIs, and cloud services), and requirements for updating and validating the asset inventory;

 

·     Heightened access controls for privileged accounts, such as limiting access to a need-to-know basis, implementing multifactor authentication, and securely configuring or disabling protocols that permit remote control of devices;

 

·     Regular phishing training and exercises for all personnel; and

 

·     Monitoring and filtering of emails to block malicious content.

Governance 

Governance will be updated in the Amendments to include new obligations, including:

 

·     CISO independence and authority to ensure that cyber risks are appropriately managed;

 

·     Additional CISO reporting obligations to the board of directors  include plans for remediating inadequacies and timely reporting on material cybersecurity issues or major cybersecurity events (which are not defined);

 

·     Expertise and knowledge thresholds for board members (or requirements that persons with such expertise and knowledge advise them) such that they can exercise effective oversight of cyber risk;

 

·     Cybersecurity policy approval by the board (i.e., not senior management);

 

·     Annual certification of compliance with the Cybersecurity Rule by CEO and CISO, as differentiated from a senior officer;

 

·     Required business continuity and disaster recovery (“BCDR”) plans, which would be necessary to include certain prescribed content, such as identification of essential data, personnel, and infrastructure, a communications plan in the event of a disruption, and procedures for the maintenance of backup infrastructure;

 

·     Periodic testing of incident response and BCDR plans, and ability to restore systems from backups, including to address ransomware incidents and the ability to recover from backups; and

 

·     Annual review by CISO of the feasibility of encryption and effectiveness of the compensating controls, as well as a requirement to implement a written policy requiring industry-standard encryption to protect nonpublic information held at rest or transmitted over external networks by the covered entity. 

Larger (Class A) Companies 

The Amendments will impose additional cybersecurity obligations on a new category of covered entities, so-called “Class A Companies.” Under the Amendments, a “Class A Company” would be a covered entity with: (1) over 2,000 employees; or (2) over $1 billion in gross annual revenues averaged over the last three years from all of its business operations and those of its affiliates.  

These Class A Companies would be subject to additional cybersecurity obligations, including: 

·     Annual independent audits of the company’s cybersecurity program; 

·     Weekly vulnerability assessments will be conducted, including systematic vulnerability scans and reviews of information systems, and documentation and reporting to the board and senior management of material gaps identified by these assessments; 

·     Password controls, including a “vaulting solution” for privileged accounts and an automated method for blocking commonly used passwords; 

·     Monitor anomalous activity by way of endpoint detection and response solution, with a centralized solution for logging and security event alerting; and 

·     Risk assessments by external experts at least once every three years. 

Even if a covered entity is not a large company, smaller companies should consider implementing at least some of the Class A obligations.

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director 

Lenders Compliance Group

---

[i] 23 NYCRR Part 500

[ii] Announced by the DFS on July 29, 2022

Mother of All Computer Bugs

QUESTION
I hate to be the bearer of bad tidings right before Christmas, but I would like you to put my question on top of the others since this concerns a worst-case scenario of cybersecurity and ransomware. I am with a large regional mortgage lender, and I am the company’s CISO. 

On December  20^th, The Washington Post reported that a new bug was discovered called “log4j.” It was found on December 9^th. This is like the mother of all computer bugs! 

The article says that cloud storage companies such as Google, Amazon, and Microsoft – companies that provide the digital backbone for millions of other apps – are affected. Giant software sellers are affected, too, such as IBM, Oracle, and Salesforce. And, devices that connect to the Internet (i.e., TVs and security cameras) have been hit. Hackers can get into digital spaces and steal information or plant malicious software. This bug is virtually everywhere and affects billions of computers. 

We anticipate that ransomware attackers will now have a new way to break into computer networks and freeze out their owners. I really think you should put back up the links to your Ransomware policies and checklists. 

Banks or mortgage companies, big and small, accepting cryptocurrencies are also affected because they will be targeted and asked to send millions in cryptocurrency to hackers or risk being locked out of their computers indefinitely and exposing their sensitive information. 

My question is, Would you provide your readership with information from the government agency that monitors and advises the public about this threat?

ANSWER
Thank you for your timely question. Given the urgency, I have prioritized it for a response. I am grateful that you have contacted us to assist in making our readership aware of this immense computer threat. 

The computer bug, “log4j,” allows hackers to access deep into systems, cutting past all the typical defenses software companies use to block attacks. 

The article you cite is "The ‘most serious’ security breach ever is unfolding right now. Here’s what you need to know." It was published in The Washington Post on December 20th.  

The article quotes Jen Easterly, the Director of U.S. Cybersecurity and Infrastructure Security Agency, saying, “The log4j vulnerability is the most serious vulnerability I have seen in my decades-long career.” You can watch Director Easterly’s interview HERE. 

According to the article, “The fact that log4j is such a ubiquitous piece of software is what makes this such a big deal. Imagine if a common type of lock used by millions of people to keep their doors shut was suddenly discovered to be ineffective. Switching a single lock for a new one is easy, but finding all the millions of buildings that have that defective lock would take time and an immense amount of work.” 

Because you are the Chief Information Security Officer (CISO), the remit of your undertaking is to implement the information security program, which includes the requirements to protect system assets from internal and external threats. 

The CISO has a direct responsibility to maintain the company’s security posture, which is a different task than required of the Chief Information Officer (CIO), a position that involves oversight and managing the overall systems. The CISO and CIO work together. The former is engaged in the hands-on, precise application of cybersecurity initiatives. The latter maintains the overall system comprehensiveness and usually reports to top management and the board of directors. 

As of today’s date, the bug is careening through millions of computers and degrading millions of enterprise systems and Cloud services. You mentioned the threat of ransomware attacks. Indeed, I have written extensively about them as well as cybersecurity. You can read some of my posts, such as:

• Ransomware Payments;
• Large Bank Cybersecurity Challenges;
• Phishing Scams; and
• Intrusion Detection Terms.

I have published articles and White Papers on cybersecurity guidelines, one of which concerns the cybersecurity guidelines promulgated by the New York Department of Financial Services (DFS). The regulation took effect on March 1, 2017, continuously updated. The DFS has provided a model for cybersecurity guidelines in many state banking departments. For an overview, I suggest you download my article Cybersecurity Guidelines - "First-In-The-Nation" Regulation. Consider implementing similar requirements.

We provide a free Ransomware checklist. We also offer an exceptional and reasonably priced policies and procedures for Ransomware as well as Cybersecurity For more information, visit our website. 

Short of letting the engineers figure out how to stop the bug, people can take several precautions, such as avoiding phishing emails that trick you into clicking a link or opening an attachment. This new bug vulnerability means that computers will be hit with many such messages as hackers plant malicious code before the computer gets a corrective patch. Also, be sure that the computer’s operating system and apps are updated. 

The government agency monitoring the log4j bug is the Cybersecurity and Infrastructure Security Agency (CISA). CISA as published Emergency Directive 22-02 Mitigate Apache Log4j Vulnerability. 

The agency has a continuously updated and highly technical log4j webpage. However, the webpage does provide an Additional Resources section which provides helpful guidance, such as CISA’s Cyber Essentials. 

I suggest that senior management review Questions Every CEO Should Ask About Cyber Risks.

Also, I recommend FFIEC's Information Security Booklet, in the Information Technology Examination Handbook. Amongst the many tools provided by FFIEC, the Cybersecurity Assessment Tool helps to identify cyber-risks and determine cybersecurity preparedness.

Jonathan Foxx, Ph.D., MBA

Chairman & Managing Director
Lenders Compliance Group

Phishing Scams

QUESTION
We had training on protecting our emails from being scammed. 

On the subject of phishing, some of us were disappointed because we learned what phishing is but not how to protect ourselves from it. 

We don’t feel there is an organized effort to doing enough to stop phishing scams. There must be Best Practices, yet we can’t even get the trainer to give us a list of them. 

What are some Best Practices for preventing the phishing of our emails?

ANSWER
Phishing has been trending up for a long time, evincing greater sophistication and ingenuity. Such scams adversely affect business relationships, transactions, customer relations, and cause compromised interactions in the loan flow process. We are heavily dependent on emails to conduct business, yet phishing continues to invade email interactions with increasing frequency 

So, how does a phishing scam work? 

Let’s illustrate using a simple order to change wiring instructions. You can extrapolate this illustration to many other business interactions. So, we’ll use it as a proxy for other areas that phishing scams can compromise. 

Although there are non-email ways of handling the change order, thousands of institutions use email, and email is ripe for attack. To change the wiring instructions, the bad actor first obtains access to the communications containing the instructions. 

The more individuals on an email thread, the greater the likelihood that one of them will be compromised unknowingly. And it only takes one person to open the gate to the scammer. In effect, the thread is only as strong as the weakest link! 

Once the bad actor has access to a target’s email, the attacker learns the details of the pending transaction and mimics the parties’ written communications. The attacker then takes over or “spoofs” certain email addresses and interposes itself in the email traffic, often starting with innocuous communications to build trust. 

Ultimately, the attacker is ready to announce a change in fund transfer details due to a bank “audit” or similar justification or no justification at all. If the attacker’s deception is undetected, the payment will transfer to the attacker’s account instead of the intended recipient. And unless the transfer is caught and reversed within 24 hours, it can be very complicated, if not impossible, to claw the funds back, resulting in a significant financial loss. 

Subsequently, there is often an investigation and a dispute regarding who bears the financial responsibility for the loss. In the meantime, the loss is all too real, fees pile up, the transaction is destabilized, and legal costs skyrocket. 

So, what are some practices to protect yourself from phishing scams? 

If you think that you can cover all possibilities to prevent phishing scams, be advised, that is not possible. The scammers tend to be one step ahead of even IT people. Indeed, whole U.S. government agencies have been hacked via phishing scams! Therefore, no single security tactic is going to thwart all attacks, given that the attackers have many targets to choose from among all of the parties involved in a transaction 

There are few steps you can take to reduce the likelihood of a successful attack. I’m not sure if we can call them Best Practices since dozens of proposed ways are constantly being found to prevent phishing attacks. That said, I think a viable list of Best Practices should contain some of the following safeguards. 

- Maintain strong payment authorization procedures by requiring a review of wire transfers, particularly those above a certain amount, to limit the chance of making a payment to a fraudulent account. I suggest multiple approval thresholds, obtaining verbal confirmations of wires, and educating affected personnel on the prevalence of these scams. The theme here is to be on “high alert” for any change in protocol. 

- Some companies insert the label “EXTERNAL” in all emails from external sources, thereby reminding employees to exercise caution. This label may help to identify a purported internal email coming from a spoofed email address. 

- Develop a checklist of “Red Flag” issues that require further due diligence, such as procedures for wiring to new recipients or previously unused destination accounts or any other change in the standard protocol. 

- Implement Multi-factor Authentication for emails, which can help prevent many, although not all, phishing attacks. Multi-factor Authentication is not foolproof, but it is strong protection. This authentication method requires the user to provide two or more verification factors to access a resource such as an application, an online account, or a VPN. Rather than just asking for a username and password, the user must provide one or more additional verification factors. 

- Periodically train and test employees to identify and report phishing attempts. Teach them to follow “email security hygiene,” such as checking email domains and not following links, opening documents, providing credentials, or sending payments without verifying the source. 

- You might want to get cyber insurance because it may include, among other things, the coverage for misdirected funds transfers, loss of business due to a cyber event. 

If you are snared in a phishing scam, it’s a good idea to consider the following actions: 

- Change account passwords for all employees on the impacted email chain and, if possible, everyone in the entire company; 

- Check relevant email accounts for any auto-forwarding rules, which attackers may create, given that they can remain running even after passwords are reset; 

- Contact counsel familiar with cyberattacks to determine appropriate steps to investigate and contain the incident, including, if needed, retaining a forensic consultant and, where possible, coordinating with other financial institutions to attempt to block the transfer of funds. 

- Contact law enforcement to assist in the recovery of the funds. While recovery can be challenging if funds have already been transferred, agencies such as the FBI do try to help; and, 

- If any accounts have been compromised, determine whether any other information was affected, such as personal information for which there could be a breach notification obligation.

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director

Lenders Compliance Group

Disaster Recovery and Business Continuity

QUESTION
We are a mortgage lender in the northwest. Our largest investor asked us for a Disaster Recovery Plan and a Business Continuity Plan.

We sent them the former because we consider it the same as the latter. While the investor accepted that we have a Disaster Recovery Plan, it rejected it as being also a Business Continuity Plan. We always thought these plans were basically the same thing.

Now we are scrambling to get them a Business Continuity Plan.

So, what is the difference between a Disaster Recovery Plan and a Business Continuity Plan?

ANSWER
It may seem like a Disaster Recovery Plan is just another way of saying Business Continuity Plan. But they are fundamentally different, and each serves different purposes. Both plans should interface with each other in complementary ways.

You cannot expect a Disaster Recovery Plan to act as a proxy for a Business Continuity Plan. Nor can you use a Business Continuity Plan to act as a proxy for a Disaster Recovery Plan. If you try that tactic with regulators, they will cite you with adverse findings. If you are state licensed, banking departments may share those findings with other states where you’re licensed. Federal prudential regulators will also likely issue adverse results.

And what are we describing here?

We are describing how to ensure the company remains viable when faced with significant threats to its existence. So, I will give you some pointers that will help you to know the difference between these two essential documents. But be advised: just as a bird does not fly on one wing, a company cannot depend on only one of these plans. It must have both!

Our firm has identified six factors to disaster recovery and business continuity. 

These are:

1. Disaster Planning

2. Business Impact Analysis

3. Business Continuity management

4. Business Continuity Plan

5. Recovery Time Objectives

6. Deployment

Without getting too detailed about each of these factors, I am going to focus on your specific question, which is: what is the difference between a Disaster Recovery Plan and a Business Continuity Plan?

Let’s begin with this concept: every Business Continuity Plan (BCP) contains a Disaster Recovery Plan (DRP). This is because the DRP is focused on data recovery and integrity, whereas the BCP is focused not only on data recovery and integrity but also on the many elements involved in the continuation of a business enterprise. Think of it this way: the BCP is business-centric, whereas the DRP is data-centric.

The BCP resolves certain tactical questions involving business operations confronted with the disruption of the business entity, such as:

- Does the company have a business continuity plan in place for continuation?

- Who are the management and staff personnel in charge of business operations?

- How does the company respond to vendors and third-party relationships?

- What challenges are anticipated and readied to fulfill obligations?

- How does the company maintain customer loyalty and public confidence?

- What aspects of the company need to be first recovered to stay in business?

- How prepared is the company to operate remotely?

- What are the financial costs of downtime to the company?

Some of the foregoing depend on the ability of the company to recover its data quickly, effectively, and broadly. If the DRP is flawed, all of that is imperiled; to wit, loss of reliability, diminished scope, inability to scale up, and persistence of downtime after the disruption has passed. Typical disasters and disruptions are wars, terrorist attacks, storms, hurricanes, tornados, pandemics, epidemics, fires, earthquakes, electric outages, and floods.

From the point of the various risks – for instance, risks to reputation, legal, regulatory, operational, financial, compliance, security, fraud, and competition – failure to implement the requirements of a DRP and BCP could mean the company will not survive the disaster.

The DRP resolves specific tactical questions involving data recovery and data integrity if there is a disruption of the business entity, such as:

- Does the company have a disaster recovery solution in place for its data?

- Can the company rely on and trust the data that is recovered?

- How long will it take to recover the data from backup solutions?

- What is the projected downtime caused by the impedance to data?

- Is there an offsite copy or data center for managing data?

- What are the recovery goals and staged recovery plans?

- Are applicable network resources available to users?

- Are critical systems identified and prioritized?

It doesn’t matter if the DRP and the BCP are in separate documents or situated as sections in a single document. Many companies choose to combine them for ease of use and training of employees. Lenders Compliance Group has three primary elements in a single document: disaster recovery; business continuity; and pandemic response. More information HERE.

Whatever the case, it is essential to keep these plans updated, as multifarious new requirements and challenges present themselves in an ongoing, dynamic business environment.

Ideally, a BCP due diligence should begin with a Business Impact Analysis (BIA). Although it has a kind of ominous title, this process is no more than a set of procedures that identify how a disaster could impact a company. If that is not known, how can the company develop strategies to survive a disruptive event?

Then, it is important to use the BIA to design survival strategies. This is done by filling the gaps in the existing capabilities by mitigating them through using the BIA recommendations. Next, develop a plan, which reduces to writing the ways and means to ensure business continuity. That plan should be made available to all affected employees. Finally, the company should test the plan periodically, simulate a disruption, and learn from each test how to improve.

Ideally, a DRP review undertakes an evaluation of a company’s ability to tolerate minor to major data failures. It considers such adverse events as hacking, malware, data corruption, data breaches, and many potential IT infrastructure failures. As a subset of the BCP, the DRP is meant to keep the business running, reducing the effects of the disruption, and allowing the company to gradually emerge from a disaster intact and capable of continuation.

Whereas the BCP aims at an overall approach to surviving a disaster, the DRP must proceed along certain steps to effectuating its design. The process begins with outlining needs and objectives; that is, the DRP must reflect the company’s business model, meet risk analysis guidelines, determine the files and infrastructure features to maintain, and set forth some of the threats it seeks to mitigate. Without that information, it is not really possible to restore information adequately or regain productivity.

Then, the DRP needs to take stock of its components, such as hardware; software; and data. Finally, the plan should be developed with specificity, clarity, practicality, and ease of use. Affected employees should be trained appropriately, and, importantly, ongoing monitoring and testing must be implemented.

There is a natural ebb and flow to updating the DRP and BCP. Keep them updated as changes occur in the business model, regulatory and legal environment, and technology. Management should be focused like a laser beam on Disaster Recovery and Business Continuity.

Jonathan Foxx, Ph.D., MBA

Chairman & Managing Director

Lenders Compliance Group

Elements of a Disaster Recovery Plan

QUESTION

Our compliance department has been tasked with developing a disaster recovery plan. Banking departments of several states are expecting us to ratify such a plan. However, we are not sure about what goes into this plan. What are the essential elements of a disaster recovery plan?

ANSWER

Although there is some variation to the features of a disaster recovery plan, we have found that there are constituent elements that are typical of this document. Sometimes “disaster recovery” is also referred to as “business continuity.” At the most rudimentary level, this plan sets forth the procedures to be followed in the event of an emergency or other disruption of a financial institution’s normal business activities. The goal is to be able to continue or to resume any operations as soon as possible with minimal disturbance to internal and external parties and certainly to recover any documentation and data required to be maintained by applicable laws and regulations.

In our development of disaster recovery plans for our clients as well as the review of their existing policies and procedures involving such aspects as information security, cybersecurity, and other features of information technology, we have found that there are several salient elements of a disaster recovery plan. I will provide them here, with the caution that the list is not meant to be comprehensive, and, to be sure, other elements may be appropriate based on an institutions size, risk profile, and complexity.

Essential Elements of a Disaster Recovery Plan

1. Identify documents, data, facilities, infrastructure, personnel and competencies essential to the continued operations of the financial institution.
2. Identify supervisory personnel who are in the chain-of-command for implementing each aspect of the disaster recovery plan and the emergency contacts required to notified. These individuals must be given authorization to make key decisions in carrying out the plan’s requirements.
3. Devise a plan to communicate with the following persons in the event of an emergency or other disruption: (a) Board of Directors; (b) Senior Management; (c) employees; (d) consumers; (e) affiliates; (f) media; (g) investors; (h) regulatory authorities; (i) data, communications and infrastructure providers and other vendors; and, (j) disaster recovery specialists and other persons involved in recovering documentation and data. 
4. Ratify procedures for, and maintenance of, back-up facilities, systems, infrastructure, alternative staffing and other resources to achieve the timely recovery of data and documentation and to resume operations as soon as reasonably possible. We recommend that the resuming of operations be expected to occur within the next business day.
5. Maintain back-up facilities, systems, infrastructure and alternative staffing arrangements in one or more areas that are geographically separate from the financial institution’s primary facilities, systems, infrastructure and personnel.
6. Back up or copy, with sufficient frequency, documents and data considered essential to operations or to fulfill regulatory obligations, and store information off-site in either hard-copy or electronic format.
7. Identify potential business interruptions encountered by third parties that are necessary to the financial institution’s continued operations and devise a plan to minimize the impact of such disruptions.
8. Ensure that copies of the disaster recovery plan are placed at all accessible off-site locations, such as branches.
9. Train, and periodically drill, affected employees and support systems on applicable components of the disaster recovery plan.
10. Review and revise the disaster recovery plan at least annually or upon any material change to the financial institution. Any deficiencies or corrective actions must be documented.
11. Test the plan at least annually by qualified, independent internal personnel or a qualified third party service capable of performing a risk assessment. The testing date should be documented, such documentation describing the nature and scope of the testing, any deficiencies found, any corrective actions taken, and the dates on which corrective actions were taken. I strongly recommend testing a disaster recovery plan at least once every three years by a qualified third party service.
12. Keep detailed records of all activity involving the implementation of the disaster recovery plan and maintain such information in a form that may be made available promptly, upon request, to representatives of regulatory and enforcement authorities, Federal agencies, prudential regulators, and state banking departments.

Jonathan Foxx

Managing Director

Lenders Compliance Group

Information Security Breaches

QUESTION

Much has been in the news recently of very large companies experiencing failures of their Information Technology infrastructure to prevent access to private, secure data. Breaches in security have compromised very large companies like Sony, Target and Home Depot.

As a small financial company, should I still be concerned?

ANSWER

The simple answer is “Yes!”

Compliance and security issues keep financial industry IT professionals up at night. And for good reason. Security breaches and instances of non-compliance can lead to fines, a loss of customer confidence and even criminal charges in extreme cases of negligence. The problem is that maintaining compliance and ensuring data protection is both time consuming and complicated.

Since the financial crisis, regulators have increased requirements and scrutiny of financial institutions for maintaining compliance. At the same time, every financial services organization needs to be aggressive about increasing and improving their services in order to remain competitive and attract new customers. 

IT departments within financial organizations are facing unprecedented change:

• Companies now face competition on a global scale with nanosecond transactions
• Customer applications are on 24x7 and outages are unacceptable
• Security threats have become the #1 IT issue
• Company reputation / brands threats – the Ponemon Institute reported in September 2014 that 43% of companies experienced a data breach in the past year
• Cloud, Big Data, Mobility & Security require additional investments in order to compete
• IT budgets continue to be constrained and/or are shrinking

There are also market challenges financial companies must deal with:

• 24 x 7 Infrastructure (always on)
• Cost of down time is ever increasing
• Cybercrime is rampant
• New data privacy laws 

Kevin Origoni

Director/IT and Information Security

Lenders Compliance Group