Security

02:33 PM
Mitchel Kraskin
Mitchel Kraskin
Commentary
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

Business Continuity 2.0: Were Gonna Need a Bigger Boat

What would happen with a long-term outage to financial systems or the nation's critical infrastructure? Businesses aren't even close to being prepared.

As it is late August, I wanted to start with a quote from a great summer movie about a town in denial. “Close all the beaches at the height of the summer tourist season? It would ruin the local economy! Yes, the ocean is full of sharks, but what are the odds …?”

If you are like most people, the constant risk of some sort of cyberevent has been drummed into you, both at home and at work. Just like the threat of great white sharks, we know the risk of a cyberattack is out there, but we tend to shrug it off.

[Learn more about the Internet of Things at Interop's Internet of Things Summit on Monday, September 29].

While some of us have fallen victim to a data “breach” or “hack” of some sort, it was likely of short duration and a minor inconvenience. Bad charges may have appeared on your credit card and you were eventually covered, and perhaps even first notified by the issuer’s fraud department when its algorithms flagged it.

Mostly minor cyberlosses
Let’s leave aside a subset group that has suffered significant loss due to a situation like identity theft. For most of us, life has gone on, and it was no big deal. Better still, we’ve witnessed increased IT spending against the problem (the boat is now bigger) and we all have become a bit savvier. We no longer use “password” as our password.

Because of this, I believe we have become complacent and inured to cyberrisk. We are for better or for worse fully invested in the model. We are like that town in the movie. Shark attack? Low probability -- keep the beaches open!

This scares me on several levels, especially because we have yet to imagine, let alone prepare for, Cyber Doomsday. So, the time is now to start the conversation about Business Continuity Planning (BCP) 2.0 or Disaster Recovery Planning (DRP) 2.0 -- take your pick.

Let’s set the stage. This scenario is different. It’s systemwide and global. Everything is down -- all systems and all communications -- and nothing may come back online for days, weeks, or months. Moreover, everything is corrupted. Even if the systems come back up, the dataset is so badly damaged that it is impossible to reconcile who has what. There is no electronic finance of any kind -- from ATM withdrawals to credit cards, to wire transfers -- nothing. No trading, no settlement, and no idea who holds what.

Thinking the unthinkable
The culprits? Take your pick, but the risk is not likely to be criminal. (They can’t steal much once all screens are black and all bank balances are at zero.) It's not likely even environmental. (We lose the power grid to a force majeure event.) Sovereign risk is a bit more likely from state actors or others whose motivation is not financial but, worse, political or religious (or both). All of this done without a shot fired and with all other infrastructure left standing.

No matter the reason, we are not prepared for it. While we do craft BCP models, most still assume that the event is within a band of reason -- bounded and limited to a single entity. Most assume that even those events with a broader impact across multiple entities and networks will fully resolve and self-heal over time. We are at BCP/DRP 1.0.

With this in mind, I recently sat in on an industry roundtable to discuss a number of socially important FinTech topics. (That’s correct -- the terms are not mutually exclusive.) The group included fellow CEOs, tech wizards, policy makers from the public and private sectors, investors, GRC (governance, risk management, and compliance) experts, and entrepreneurs of various pedigrees.

When we turned our attention to the doomsday scenario, many felt it was a matter of if and not when. The discussion ranged from, “How do we do more to prevent it?” to, “How do we fix it after it occurs?”

This first of what will hopefully be ongoing discussions highlighted a few key considerations for us all to ponder and work on, including the following:

  • We are going to need a coordinated response paradigm.
  • Like BCP/DRP 1.0, there should be a “fire drill” or two in order to raise our response readiness.
  • Is there a role for “insuring” against the risk so that losses are somewhat covered?
  • We may need to rethink how we have built parts of the system. Is it open to a fault?
  • How do we restore confidence and an orderly resumption of commerce in the aftermath?

The sharks are out there. It’s impossible to close every beach. Time to get a bigger boat.

Mitchel Kraskin is co-founder and CEO of Compliance Science, Inc. ("CSI") which has developed several groundbreaking governance, risk management and compliance solutions. With over twenty five years of executive experience managing the creation and delivery of software-based ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Greg MacSweeney
50%
50%
Greg MacSweeney,
User Rank: Author
8/25/2014 | 6:16:55 AM
EMP Is not juut for the Matrix anymore
The Disaster Recovery 2.0 scenarios are almost too scary to contemplate, but we must.


For instance, the Wall Street Hournal recently ran an article on the very real possibility of a rogue state using electro magnectic pulse (EMP) weapons to knock out the electric grid for a long period of time.


In this scenario not only does banking grind to a hault, so does civilization:

http://online.wsj.com/articles/james-woolsey-and-peter-vincent-pry-the-growing-threat-from-an-emp-attack-1407885281
NJ_trader
50%
50%
NJ_trader,
User Rank: Moderator
8/26/2014 | 5:51:09 AM
Re: EMP Is not juut for the Matrix anymore
A bigger boat, indeed. The possible scenarios that one could think of are too many to list, but how do businesses plan for everything? It's impossible. So, what are the top 3 or 4 (or 10) Business Continuity 2.0 threats that are out there?
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
8/27/2014 | 12:11:22 PM
Re: EMP Is not juut for the Matrix anymore
SIFMA is responsible for business continuity planning in the brokerage industry.

They held Quantum Dawn 2, a cybersecurity exercise, July 2013. What about this year?

from SIFMA Emergency Command Center:

In the event of a significant incident that affects or has the potential to affect the operations of the financial markets, SIFMA coordinates the financial industry's business continuity planning efforts.


What constitutes a significant emergency of incident ? According to SIFMA they include: [but we can all think of other cyber events not listed here]
  • Snow storms
  • Earthquakes
  • Floods
  • Hurricanes
  • Pandemic illness
  • Terrorist attacks
Greg MacSweeney
50%
50%
Greg MacSweeney,
User Rank: Author
8/27/2014 | 12:23:58 PM
Re: EMP Is not juut for the Matrix anymore
I'm not sure if SIFMA considers cyber attacks as a different category, but they shouldn't. Cyber security is probably one of the most important issues facing the financial industry right now. And the industry needs to be on the lookout for cyber attacks that attempt to destabilize the markets (not just attacks that attempt to access accounts or funds). Destabilizing the markets with a cyber attack can do much more damage over the long term.
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
8/27/2014 | 1:55:25 PM
Re: EMP Is not juut for the Matrix anymore
The SEC has been working with the industry (exchanges, depositories, clearing firms) to protect critical financial market infrastructure  from disruptions in the event of any type of outage, intrusion, hack attack, etc. 

Any type of disruption can shake investor confidence and can be worse than actual data theft.
Becca L
50%
50%
Becca L,
User Rank: Author
8/30/2014 | 6:43:33 PM
Re: EMP Is not juut for the Matrix anymore
The scenario Michael paints is a terrifying thought, and Greg that was a terrifying read as well. Remember the end of Fight Club when Tyler Durden blows up all the credit card databases.. These attacks paralyze a business and customers, and that's a kind of chaos we really haven't seen yet. 
ChrisN066
50%
50%
ChrisN066,
User Rank: Apprentice
9/2/2014 | 7:08:31 PM
Re: EMP Is not juut for the Matrix anymore
Read William Forstchen's One Second After, about what happens to a family, a town, and society in the year after an EMP attack.  The Woolsey article quotes the EMP Commission stating that an EMP attack could cause up to 90% of the U.S. population to possibly perish.  It is an apocalyptic scenario when there is no food and no medicine, other than the amount stores have with just in time deliveries.  Thinking about keeping a business open would not come to mind after reading this book.  I do find it hard to believe that the utilities are not working to harden their own infrastructures.  The WSJ Woolsey article said that it would only cost $2 billion to harden our electric infrastructure.  It is worth anything it costs to prevent our way of life from disappearing.
Greg MacSweeney
50%
50%
Greg MacSweeney,
User Rank: Author
9/3/2014 | 6:04:05 AM
Re: EMP Is not juut for the Matrix anymore
True, $2 billion to harden the nation's critical infrastructure is not a lot, considering how much we spend on other initiatives.
Greg MacSweeney
50%
50%
Greg MacSweeney,
User Rank: Author
8/26/2014 | 11:58:02 AM
a bigger boat?
A little humor, apparently there have been a bunch of sharks off of Cape Cod:

Becca L
50%
50%
Becca L,
User Rank: Author
8/30/2014 | 6:48:06 PM
Re: a bigger boat?
Ha, very clever

Becca L
50%
50%
Becca L,
User Rank: Author
8/30/2014 | 6:48:08 PM
Re: a bigger boat?
Ha, very clever

Becca L
50%
50%
Becca L,
User Rank: Author
8/30/2014 | 6:44:09 PM
PLAN B
RE: "How do we restore confidence and an orderly resumption of commerce in the aftermath?"
I've heard many disaster recovery plans are 1 part functional recovery of systems, 9 parts marketing/PR response. Customers must be assured it's under control and to keep their business where it is!
More Commentary
Shared Reporting Services on the Horizon, Genpact Predicts
The financial services industry is starting to adopt shared services, resulting in reasonable impacts to the bottom line. Genpact expects a push for reporting efficiency will come next.
Don't Let the Cloud Rain on Your Operations Strategy Parade
Avoid migrating large applications all at once to minimize risk during a cloud project.
Could Intel Lose Data Center Market Share to ARM Chips?
ARM chips could be an alternative for certain purposes in the datacenter, but many questions have to be answered before they pose a threat to Intel's market dominance.
Cost to Trade: Hey, Banks, Its Time to Face the Music
Why is calculating the cost to trade so difficult for banks? The answer is as complex as the calculations themselves.
M&A Activity Will Continue to Grow in 2015
Data shows that the M&A market continues to improve, and forecasts indicate deal making will be healthy in 2015.
Register for Wall Street & Technology Newsletters
White Papers
Current Issue
Wall Street & Technology - Elite 8, October 2014
The in-depth profiles of this year's Elite 8 honorees focus on leadership, talent recruitment, big data, analytics, mobile, and more.
Video