From bank robbers in the Wild West to ransomware-as-a-service (RaaS), threats to the world’s financial ecosystem have evolved significantly over the years. Technological advancements have led to the rapid evolution of the financial industry, from cash transactions to digital wallets, embedded finance, and open banking. But they have also democratized sophisticated technology tools, making them cheaper and more accessible for threat actors.
For financial firms, the emerging threat arena is immensely dynamic. We already have our hands full, ensuring operational resilience in the face of natural disasters, geopolitical changes, and loss of public confidence.
Now, with easy access to criminal “services providers,” anyone with a grudge or a group with an agenda can bring down a business or even compromise an entire sector. And they don’t even need technical expertise for this, they can pay a nominal fee to leverage the “as-a-service” providers to deliver an attack with the efficiency of a factory production line.
Against this backdrop, financial regulators worldwide are emphasizing the need to build operational resilience to maintain the stability of the financial sector. This is apparent from the EU’s Digital Operational Resilience Act (DORA), the framework for operational resilience established by the Bank of England (BoE), Prudential Regulation Authority (PRA), and Financial Conduct Authority (FCA) of the UK, and the updated business continuity guidelines of the Monetary Authority of Singapore (MAS).
So, how does the financial sector ensure operational resilience — the ability to counter, continue operations, recover, and learn — when the unexpected happens? It all comes down to adopting a proactive, not reactive approach.
Why use a proactive approach to security?
Operational resilience goes beyond ensuring business continuity by mitigating disruptions as and when they occur. Resilience needs a proactive approach to maintaining stable and reliable digital systems, regardless of the severity of threat incidents. This “bankability” (excuse the pun) of the financial system is critical to preserving public trust and confidence in the global financial system.
Given the interconnectedness of financial firms with external third parties, any plan for operational resilience needs to address multiple lines of communication, automated systems of interactions and information sharing, and a growing attack surface.
Here are the steps to building a proactive plan for resilience.
Identify potential risks
Begin by mapping your footprint in the overall sector, including your interconnections, information flows, continuity requirements, and gaps in the current cybersecurity strategy. Understand your internal and external dependencies. And identify acceptable levels of disruption for critical operations to gain a holistic view of your ability to resist, adapt to, absorb, and/or recover from a threat.
Create a response plan
Build efficient communication channels with internal and external parties. Make sure that everyone concerned has easy access to relevant information, anytime, anywhere. And base your response plan on zero-trust-based third-party connections to ensure time-bound and limited access for vendors.
Use learnings from past threats and exercises to understand the procedural standards needed. Identify people and teams within your organization who will implement the plan and clearly define their roles and responsibilities for disruptive events.
We expect software bills of materials (SBOMs) to become integral to security as financial firms increasingly rely on third-party apps and software. In fact, Gartner estimates that 45% of organizations globally would have experienced attacks on their software supply chains by 2025, a threefold increase from 2021.
Remain ready for action
Participate in exercises to strengthen response preparedness by building muscle memory. Exercises help train your team on actioning the resilience plan, so that it can be instantly deployed when an event occurs. This muscle memory helps reduce panic, shorten response times, prevent ad hoc decisions, and enhance response effectiveness during a crisis.
Conduct exercises in collaboration with external partners, including government bodies, to test the preparedness to respond, highlight internal and external connections, and identify gaps in policy and procedure.
Expecting the unexpected
The dependence of the financial sector on the telecom and energy industries, and the increasingly global nature of the sector means that operational resilience exercises need to not just be cross-border, but cross-sector too. Today, national or even global-level threats are a reality, emphasizing the need to include government partners in the exercises. After all, protecting critical private infrastructure safeguards a nation’s financial stability.
Exercises can also be conducted across different levels — departmental, organizational, sectoral, cross-sectoral (including public/private partners), and cross-border. Plus, they can be of different types. While tabletop exercises help discuss and finalize critical steps of a proactive plan, hands-on keyboard ones that entail actual technical simulations build the muscle memory mentioned earlier.
Locked Shields, organized annually by NATO since 2010, is a striking example of hands-on exercises. The threats simulated in these exercises are informed by real-life scenarios. Recent threats are used to project how they could escalate or transform in the future into legitimate risk incidents. Locked Shields 2022 included public and private entities from the financial sector of 33 countries and simulated a massive cyber-attack on a fake country. It strengthened the ability to withstand such attacks, which became a reality for Ukraine following the Russian invasion.
Exercises highlight how the financial sector could be targeted to undermine a nation’s ability to respond to crises. They also help build proactive strategies that support governments and financial firms in withstanding future threats while ensuring that channels of communication and coordination function seamlessly during major incidents. Operational risks are no longer limited by geography. When threat actors work through complex supply chains, our defenses need to be equally global. This is possible through cross-border intelligence sharing and exercising, empowering financial organizations to develop comprehensive strategies for operational resilience.