Companies worldwide rely on technology and connectivity to engage with customers and suppliers, process payments, and conduct daily operations. While innovation has revolutionized business practices, it also introduces significant risks, such as cyberattacks.
Threats such as the rise of AI allow threat actors to deploy more sophisticated attacks faster and more widely.
Continuity of business (COB) or business continuity plans (BCPs) are often associated with physical disruptions such as natural disasters. But given the critical threats presented by cyberattacks, which can interrupt business, facilitate fraud, lead to regulatory fines, and tarnish a company’s reputation, cyber must be a key part of COB plans.
Whether hurricanes, human error, supply chain breakdown or cyberattacks disrupt business, it is important to have a business continuity team in place that has an (offline) list of contacts (including banks, suppliers and other stakeholders) with clear escalation plans, and a strategy for communications and regulatory advisories.
However, the cyber threats are both rapidly-evolving and constant; they therefore necessitate a distinct approach compared to other risks in a COB plan.
It is a business reality that most companies will suffer a cyberattack at some point. Adequate preparation can make a big difference to a company’s ability to respond to an attack, contain the threat and recover. Basic cyber hygiene measures, must be practiced throughout the organization and closely integrated with the COB plan. In practice, this means being aware of risks such as:
A COB plan should contain a set of actions and procedures, generally contained in a playbook, that is regularly tested and maintained, and a copy stored offline in the event that an attack shuts down all systems, that will ensure stability and continuity of business should operational disruptions occur.
The nature of a cyber-COB necessarily depends on the company and its requirements. Continuity must be assessed in relation to the company’s size, structure, and technology capabilities. In addition, the number and complexity of vendors and the sophistication of their systems should be considered.
Mid-sized companies can face greater challenges and these should be reflected in both regular cybersecurity measures and COB plans. For instance, there may be greater reliance on third-party suppliers, which can increase risk exposure.
Similarly, mid-sized companies may also have fewer controls like maker/checker processes, making them more vulnerable to fraud; if one account is compromised, it may be possible to easily manipulate payments.
Many companies, across multiple sectors, rely heavily on the ability to digitally send wires and make payments. Cyberattacks can often force a shutdown of operations. Drafting a COB plan without consulting your bank can be costly. It is important for all companies, irrespective of size, to consider how they would operate during and following a cyberattack and devise a plan accordingly, discussing their plan with their banks.
Comparing two companies who recently experienced cyberattacks, both companies had to shut down their systems as a preventative measure and to safeguard their reputation. One company remained shuttered for over a week. In contrast, the other company activated its COB plan that had been drafted with input from Citi; payment volumes were gradually increased, and 70% operational capacity was achieved by the end of the day of the attack.
Key components of the successful COB plan included:
From a cyber risk perspective, a COB plan should be designed to ensure the ability to continue business operations. Data backups and failovers (where a system automatically switches to a backup) are typical components of any plan. Ensure that escalation points are identified, along with a list of emergency contacts, both internal and external. Seemingly mundane matters, such as having a printed list of phone contacts for contingency situations, are vital when all networks (and stored telephone numbers) are inaccessible; they can make the difference between resilience and catastrophe in the event of a cyberattack.
Plans should also address payments infrastructure; contingency arrangements should reflect the business or reputational risk that would result from an inability to make payments.
Planning should identify critical functions and data, not just within the organization but also where there are vendor or supplier dependencies. For example, it is important to have emergency contacts for your banking partners, vendors and others that you may need to contact in the event of any disruption.
Questions to be considered in a COB plan include:
The COB plan should also ensure that the right tools are in place and appropriate subject matter expertise would work together in case of any disruption including technology, legal and others as appropriate from inside and/or outside the organization.
Companies should start by assessing the suitability and availability of alternative payment types. Wires, for example, are always accessible and require no additional implementation. For high-volume ACH processors, real-time payments can be used as a backup in case of an ACH disruption.
COB plans are only valuable if they can be relied on. Companies need to perform annual denial-of-service tests (where an application goes down, and manual workarounds are implemented). Annual denial-of-access tests (where alternate working arrangements, such as remote work, are tested) are also essential. Data backups and failovers must be regularly tested and maintained to ensure business continuity.
Mid-sized companies, in particular, need to ensure their communications plans are robust. If email systems go down, they need a failsafe plan to communicate and manage incidents. While technology testing is often rigorous, communication processes are harder to test but equally important. It’s essential to ensure that staff understand escalation protocols and how to keep business operations running during an incident.