In a recent FS-ISAC Insights post, President & COO of Sheltered Harbor wrote about a paradigm shift: from systems to services, or better from critical systems to critical services. The post makes a bunch of important point which I summarize below.
In light of the prolific cyber threats, outage of financial institution's operations is increasingly likely nowadays. Incidents such as Mærsk, Federal Express or the recent Finastra case are reminders of this statement. What is worse, due to the increased interconnectivity of critical financial services, the adverse effect of an institution's impact could propagate further entailing to systemic risks in the financial system.
Allegedly, disaster recovery plans ensuring backups and redundancy are not, by themselves, sufficient anymore due to the nature of the modern threats, see data corruption incidents.
Operational Resilience is the proposed answer to the identified challenge. Essentially, stop having a system-narrowed view and embracing a critical service view in terms of underpinning tech, processes and personnel.
Operational Resilience aims at ensuring critical services remains operational under devastating events. It requires identification of critical services, prioritization, resilience planning and verification of this. Sheltered Harbor was the US answer to this challenge.
Over to Europe, since 2018 ECB and Bank of England have worked on similar concepts.
In July 2018, Bank of England provided the following definition:
"Operational Resilience is the ability of firms and the financial system as a whole to absorb and adapt to shocks, rather than contribute to them"
Recognizing the importance of the cyber security elements in Operational Resilience, the European Parliament ,in 2018, called on the Commission "to make cybersecurity the number one priority in the FinTech action plan".
In March 2018, ECB presented the objectives, principles and process of the TIBER-EU Framework and defined the Cyber Resilience as follows:
"Cyber Resilience refers to the ability to protect electronic data and systems from cyberattacks, as well as to resume business operations quickly in case of a successful attack."
Since then, TIBER-EU has been implemented in a number of european countries and the adoption rate keeps increasing.
In a series of subsequent articles, I will share my views on TIBER-EU.
Carlos Recalde