An unexpected live test of operational resilience

In his blog post published 27 March 2020, Andrea Enria, Chair of the Supervisory Board of the European Central Bank (ECB) stated in the context of the COVID-19 pandemic that “Unlike in the 2008 financial crisis, banks are not the source of the problem this time. But we need to ensure that they can be part of the solution. To this end, our mitigation measures aim to allow banks to keep providing financial support to viable households, small businesses and corporates hardest hit by the current economic fallout.” To be part of the solution, banks are expected to guarantee business continuity in an environment marked by uncertainty and the rise of coronavirus-themed cyber-attacks. In preparation for this ambitious goal, on 3 March 2020 the ECB already sent a letter (PDF 155 KB) to all significant institutions in which they outlined their expectations to enhance preparedness and to minimise the potential adverse effects of the spread of COVID-19, many of which relate to IT continuity requirements.

So what are the key implications for banks that have emerged due to the COVID-19 crisis since the ECB letter was sent out, and which could affect their ability to maintain business continuity?

1. On 24 March 2020, the Indian government made a decision to lockdown effectively the entire country for 21 days in order to slow the spread of the virus in India. This has serious implications for banks that use resources in India as part of their back-office processes. For example, typical offshored activities include general ledger activities such as journal posting and the production of financial statements, which given the first quarter filing requirements for most banks could become an issue when deadlines arrive in the next weeks. Further offshored activities such as cash operations or call centre/help desks mean that the potential disruption could be wide ranging over these weeks and is not necessarily focused on one key activity.
2. COVID-19 has also meant that banks are facing an increase of likelihood for an IT failure affecting technical infrastructures (e.g. data centres, telecom connections, remote sites, backups and data storage solutions, monitoring/capacity solutions, denial of service solutions, etc) given changes in usual operating procedure, new risks arising from working remotely, and increased cyber-attacks such as phishing campaigns. Banks are faced with having to change their approach to security operations during the pandemic, especially as more of them need to consider as part of their contingency plans and exit strategies alternative systems or solutions such as cloud computing.
3. Given the widespread lockdowns that have occurred not only on European basis but also on a global basis, there has been a surge in demand from both customers and clients to access banks on a digital platform. Banks have often shut branches in response to the pandemic and must now deal with more and more capacity demands for day-to-day banking activities. Furthermore, depending on how digital demand increases, banks may have to reduce either product offering or services in order to meet the operational resilience capacity.
4. As well as the increased risk of external cyber-attacks, remote operating locations and relaxing of some regulations eg: allowing trading room activities to occur outside of the trading room to facilitate home office working, or the cessation of some on-site activities from internal and external auditors or supervisors could present an opportunity for an increase in fraud risk internally at the bank. Furthermore, with the increase in government assistance in the lending space being made available, it is quite likely that there will be an increase in the numbers of applications for relief from clients and customers, and there could be a risk that some claims would be made fraudulently. In an environment where IT controls over checking claims and approving funds may be performed rapidly without adequate oversight, banks may become subject to further losses.

In response to these implications above, IT Risk management functions and key personnel can consider the below questions they could ask themselves in order to best address these implications or prepare for an increase in IT-related challenges if the COVID-19 crisis continues for a significant time.

• Have you considered which are your critical functions and suppliers that you rely on for the key upcoming operational tasks (such as the production of financial reporting for Q1) and have you identified alternative solutions to these critical activities? Banks should have already developed and securely stored an inventory of such critical activities, services and resources which should prove invaluable during the pandemic to dynamically react to further lockdowns that could impact their internal operations.
• Have you identified your key IT personnel, including information security teams or other key dependents for incident and problem response, who could fall ill due to quarantines in place or may be unable to fulfil their regular duties at full capacity? Is it clear who will furthermore take important decisions should the traditional hierarchy (eg: CIO, CISO) be unable to make the appropriate calls? Banks should take advantage to consult or update their crisis management framework and include sections on realistic scenarios during the pandemic such as loss of staff of external service providers, in order to meet this challenge. Furthermore, they should identify immediately the possible impacts of disruptions in services with regards to the business processes that could be affected by the pandemic, and assess recovery time objectives, recovery point objectives, and maximum tolerable downtimes if that’s not already the case.
• Have you monitored digital usage from clients and customers, and can you scale to meet changing demand? If decisions must be made regarding discontinuing certain products or services in order to ensure digital capacity, can you make prioritisations on a dynamic basis? Contingency test results from previous tests could be used to predict where banks see future digital demands, and furthermore the results of the COVID-19 pandemic can be leveraged to bolster contingency planning for the future, or a potential second wave in winter 2020.
• Have you evaluated your major existing operations, controls, policies and procedures when it comes to day-to-day information security management to identify potential vulnerabilities and detect unusual behaviour, given the extraordinary measures and relaxing of some regulations due to the COVID-19 crisis? In cases where elements of fraud have already occurred, have you considered implementing changes to procedures to prevent reoccurrence of the incident? Security information and event management (SIEM), intrusion detection solutions (IDS), event analysis and escalation procedures should assist management in prioritising known and identifying new vulnerabilities as well as rapid communication strategies to stakeholders should assist in ensuring applicable staff are aware of any new procedures. Furthermore, IT logs should assist management in reviewing on a more frequent basis any unauthorised logins or overriding of controls to help detect any instances of internal fraud.
  

Considering the aforementioned implications and responses to operational resilience, banks should also consider collecting data and KPIs that will be part of the lessons learnt and the continuous improvement process, for which supervisors could potentially ask in the aftermath of the COVID-19 pandemic. Cases of incidents, outages, disruption, unplanned downtime, unauthorised accesses should be formally documented. They can be used in the future to strengthen the effectiveness of crisis management procedures and protective measures. Such cases could include:

• How many data breach security incidents resulted from mobile devices and mobile / removeable storage devices (such as laptops, USB sticks, smartphones, tablets, etc.) accessing the corporate network happened during the pandemic?
• How many breaches of confidentiality (unauthorised access to data) were caused by security incidents (including cyber-attacks) during the pandemic? What was the average detection time? What was the average recovery (resolution) time?
• What was the total number of successful COVID-19 themed cyber-attacks (including those aiming at outsourced service providers) and what was the total amount of direct and indirect costs (e.g. losses, resulting penalties or fees, expenses for response and recovery activities, staff hours, involvement of external experts)?
• How many times were the IT continuity and disaster recovery (DRP) plans triggered during the pandemic?
• What was the overall unplanned downtime (in hours) of critical IT systems and material customer services during the pandemic (incl. those caused by external service providers)?
• What was the number of unauthorised accesses to critical IT systems processing confidential data or the number of detected overrides of key controls in the IT space? What were the number of fraudulent applications for government relief made and the associated circumstances? What was the number of fraudulent activities undetected on a timely basis?
  

The COVID-19 pandemic is a wake-up call for banks to consider holistically their organisation and evaluate how their IT capabilities can help them to face extreme events, even the ones we all thought were unlikely to occur. As stated by the ECB, this time banks can be part of the solution. However, being part of the solution i.e. providing financial support to the ones hardest hit by the current economic fallout requires the ability to maintain operations in extraordinary and adverse circumstances, hence bringing the concept of operational resilience again to light.

Several supervisors, including the ECB, have acknowledged over the past years that a growing reliance of banking operations on IT platforms, digitalised product channels for banking services, outsourcing to third-party providers of IT-related tasks and functions, and communication networks makes banks vulnerable to a wide range of operational risks - but what the pandemic is showing us now is that the multi-dimensional response needed to achieve operational resilience (governance, adequacy and expertise of resources, business continuity planning, information security including cyber-security management, and third-party provider management) cannot be done without agile and coordinated IT capabilities at the core.

With publications from the UK regulators and more expected from the Basel Committee, other regulators and supervisors including the ECB may have a closer look at the concept of operational resilience in the near future - and the COVD-19 pandemic could be what they just needed to further develop and implement this concept.