Citigroup.com Homepage

Be Prepared for the Unexpected

Continuity of Business (COB) planning is essential in the digital age
Article  •  November 22, 2024

Companies worldwide rely on technology and connectivity to engage with customers and suppliers, process payments, and conduct daily operations. While innovation has revolutionized business practices, it also introduces significant risks, such as cyberattacks. 

Threats such as the rise of AI allow threat actors to deploy more sophisticated attacks faster and more widely. 

Continuity of business (COB) or business continuity plans (BCPs) are often associated with physical disruptions such as natural disasters. But given the critical threats presented by cyberattacks, which can interrupt business, facilitate fraud, lead to regulatory fines, and tarnish a company’s reputation, cyber must be a key part of COB plans. 

Whether hurricanes, human error, supply chain breakdown or cyberattacks disrupt business, it is important to have a business continuity team in place that has an (offline) list of contacts (including banks, suppliers and other stakeholders) with clear escalation plans, and a strategy for communications and regulatory advisories. 

However, the cyber threats are both rapidly-evolving and constant; they therefore necessitate a distinct approach compared to other risks in a COB plan.

Preparing for Cyberattacks

It is a business reality that most companies will suffer a cyberattack at some point. Adequate preparation can make a big difference to a company’s ability to respond to an attack, contain the threat and recover. Basic cyber hygiene measures, must be practiced throughout the organization and closely integrated with the COB plan. In practice, this means being aware of risks such as: 

What is Business email compromise (BEC) 
  • What is it? BEC is an attack method where the fraudster uses email to trick an employee into sending money, changing account numbers or divulging confidential information.
  • What are the red flags? Watch for small discrepancies in a sender’s email address (e.g., similar-looking characters, additional characters or email domain changes).
  • What are the best practices? Verify payment detail changes by contacting vendors directly using known phone numbers. Confirm any requested changes received via email such as switching banks or changing account numbers.
  • What preventative measures should you build into your security program?
    • Establish a culture of vigilance (e.g., questioning unusual emails, verifying the sender’s email address etc).
    • Use a maker-checker approach for payment approvals.
    • Perform regular reconciliation, ideally on a daily basis.
    • Ensure employees understand relevant risks and know correct escalation processes for concerns or suspicions.
 
Credential phishing
  • What is it? Credential phishing is where a fraudster attempts to gain access to, and steal, login credentials or other sensitive information. It primarily aims to gain access to accounts by stealing usernames and passwords, which can then be used for various malicious activities.
  • What are the red flags? Fake emails, websites, messages or calls that appear to be from legitimate sources to trick recipients into providing their information.
  • What are the best practices? Employee training must be up to date as phishing approaches evolve over time.
  • What preventative measures should you build into your security program?
  • Multi-Factor Authentication makes it harder for attackers to gain access even if credentials are compromised.
  • Advanced email filtering can reduce the number of phishing emails reaching employees.
  • Regular password expiry should be built in to all systems that require login.

Designing a Cyber COB Plan

A COB plan should contain a set of actions and procedures, generally contained in a playbook, that is regularly tested and maintained, and a copy stored offline in the event that an attack shuts down all systems, that will ensure stability and continuity of business should operational disruptions occur. 

The nature of a cyber-COB necessarily depends on the company and its requirements. Continuity must be assessed in relation to the company’s size, structure, and technology capabilities. In addition, the number and complexity of vendors and the sophistication of their systems should be considered. 

Mid-sized companies can face greater challenges and these should be reflected in both regular cybersecurity measures and COB plans. For instance, there may be greater reliance on third-party suppliers, which can increase risk exposure. 

Similarly, mid-sized companies may also have fewer controls like maker/checker processes, making them more vulnerable to fraud; if one account is compromised, it may be possible to easily manipulate payments.

A Tale of Two COB Plans

Many companies, across multiple sectors, rely heavily on the ability to digitally send wires and make payments. Cyberattacks can often force a shutdown of operations. Drafting a COB plan without consulting your bank can be costly. It is important for all companies, irrespective of size, to consider how they would operate during and following a cyberattack and devise a plan accordingly, discussing their plan with their banks. 

Comparing two companies who recently experienced cyberattacks, both companies had to shut down their systems as a preventative measure and to safeguard their reputation. One company remained shuttered for over a week. In contrast, the other company activated its COB plan that had been drafted with input from Citi; payment volumes were gradually increased, and 70% operational capacity was achieved by the end of the day of the attack. 

Key components of the successful COB plan included: 

  • Prioritization of larger transactions to maintain critical client services.
  • A contingency bank account, not linked to the company’s accounting software and known only to a few senior team members, for use in the event of system compromise.
  • Regular cyber drills to ensure those aware of the backup system can access it and verify its readiness. Periodic transactions are also conducted to ensure functionality.
  • Undertake a ‘look back’ review of all recent transactions for suspect payments or unusual activity. It is important to identify any other potentially fraudulent activity that may have occurred.

CCB-BePrepared-Cyber-article-body-image.jpg

From a cyber risk perspective, a COB plan should be designed to ensure the ability to continue business operations. Data backups and failovers (where a system automatically switches to a backup) are typical components of any plan. Ensure that escalation points are identified, along with a list of emergency contacts, both internal and external. Seemingly mundane matters, such as having a printed list of phone contacts for contingency situations, are vital when all networks (and stored telephone numbers) are inaccessible; they can make the difference between resilience and catastrophe in the event of a cyberattack. 

Plans should also address payments infrastructure; contingency arrangements should reflect the business or reputational risk that would result from an inability to make payments. 

Planning should identify critical functions and data, not just within the organization but also where there are vendor or supplier dependencies. For example, it is important to have emergency contacts for your banking partners, vendors and others that you may need to contact in the event of any disruption. 

Questions to be considered in a COB plan include: 

  • Who is empowered to make decisions?
  • What are the priorities in terms of action?
  • What alternative forms of communications should be used if there is no network or email?
  • Who should be contacted at the bank or vendor?
  • Should access to all bank services be restricted or should visibility be prioritized?
  • Should clients or counterparties be contacted, and if so, by whom? 

 

The COB plan should also ensure that the right tools are in place and appropriate subject matter expertise would work together in case of any disruption including technology, legal and others as appropriate from inside and/or outside the organization. 

Companies should start by assessing the suitability and availability of alternative payment types. Wires, for example, are always accessible and require no additional implementation. For high-volume ACH processors, real-time payments can be used as a backup in case of an ACH disruption. 

COB plans are only valuable if they can be relied on. Companies need to perform annual denial-of-service tests (where an application goes down, and manual workarounds are implemented). Annual denial-of-access tests (where alternate working arrangements, such as remote work, are tested) are also essential. Data backups and failovers must be regularly tested and maintained to ensure business continuity. 

Mid-sized companies, in particular, need to ensure their communications plans are robust. If email systems go down, they need a failsafe plan to communicate and manage incidents. While technology testing is often rigorous, communication processes are harder to test but equally important. It’s essential to ensure that staff understand escalation protocols and how to keep business operations running during an incident.

Commercial Bank

Commercial Bank

We provide global banking solutions to mid-sized companies that are looking to grow rapidly and expand internationally.
Get in Touch

Sign up to receive the latest from Citi.