Continue reading this on our app for a better experience

Open in App
Floating Button
Home Digitaledge In Focus

Taking a proactive approach to operational resilience

Christophe Barel
Christophe Barel • 6 min read
Taking a proactive approach to operational resilience
Despite the glaring threats, many Apac financial firms demonstrate a reactive approach to cyber risk management. Photo: Unsplash
Font Resizer
Share to Whatsapp
Share to Facebook
Share to LinkedIn
Scroll to top
Follow us on Facebook and join our Telegram channel for the latest updates.

In today's complex and interconnected global financial ecosystem, financial firms face new and evolving risks. Increasing reliance on third-party service providers for software and infrastructure who often do not have the same legacy of robust cybersecurity standards as the financial sector means that financial firms cannot only rely on their existing abilities to thwart cyber attacks. They must be resilient; able to continue operating in the face of disruption that comes their way.

Operational resilience encompasses several traditional activities, such as business continuity and risk management, to ensure the company can stay agile in the risk landscape. As opposed to cybersecurity, which focuses on preventing and defending against cyberattacks, resilience is about maintaining operations in the face of such attacks.

Recognising the significance of operational resilience, economies are shifting emphasis from preparing for specific attacks such as ransomware to being prepared for any unforeseen circumstances. A notable example is the EU's Digital Operational Resilience Act (DORA), which lays down the requirements for the industry to prevent, detect, contain, and recover from incidents related to information and communication technology (ICT).

Is Asia Pacific (Apac) prepared for future cyber risks?

Apac's diverse levels of economic and technological development, social and political instability, and an array of cybersecurity challenges all underscore an urgent need to reinforce and expand operational resilience practices in the financial sector.

Citing supply chain cyber risk management as a critical concern, 98% of Apac security, IT, and tech executives reported being affected by cybersecurity breaches in their supply chains. Alarmingly, 39% of respondents in the region admitted being unable to identify emerging cyber risks in third-party vendors. Another study by FS-ISAC also identified ransomware as one of the top concerns in Apac.

See also: Keys to achieving human-centred automation testing

Despite the glaring threats, many Apac financial firms demonstrate a reactive rather than a proactive approach to cyber risk management, putting them at risk of falling behind their global counterparts in building resilience. For instance, more than one in three respondents in Asia (35%) evaluate new technology for cyber risks only after a cyberattack or incident has occurred, compared to 17% globally. Additionally, only 12% of companies in Asia quantify their financial exposure to cyber risk, compared to 26% globally. These figures highlight the need for organisations in the region to adopt a proactive approach to operational resilience.

Fundamentals of building operational resilience

To mitigate the impact of the threats above, financial businesses must gain a comprehensive understanding of their risk landscape, internal and external interconnections, continuity plans, and risk management strategies.

See also: Human element still important for effective mass communication

There are fundamental principles of operational resilience programmes for financial institutions, which can be a starting point to build and customise depending on the size, complexity, and role in the ecosystem.

Assess internal and external factors to identify risks

  • Understand your Critical Operations: This includes identifying operations critical to business continuity and management, and key dependencies of the internal and external systems and processes on which they rely.
  • Understand your risk and threat landscape: Creating a feasible and effective response plan requires organisations to understand their risk and threat landscape. This ensures that the organisation has all the relevant information necessary to protect against and mitigate disruption.

    To map the risk and threat landscape, organisations may communicate with internal and external groups such as cybersecurity teams, information-sharing bodies and government partners that may provide them with information on potential or current hazards. Maintaining an internal inventory of assets (both physical and digital), threats, and event classes may also be in the organisation’s best interest.

Plan to protect and respond

  • Develop a risk-based approach to protect critical operations: Organisations should identify the acceptable outcomes of risks that are commensurate with their board’s risk appetite, and then determine the maximum tolerable level of disruption for each designated critical operation. This allows management to have a comprehensive view of their system’s ability to resist, absorb, and recover from or adapt to an adverse occurrence. This will also enable them to create controls and plans for potential hazards as well as to prioritise risks.

    One way to develop a risk-based approach is gaining access to cross-border and timely intelligence into the financial ecosystems through member information-sharing communities such as FS-ISAC. A closer understanding of the global threat landscape can help financial firms protect against threats that start in one place and migrate elsewhere.
  • Develop response plans: Response plans are essential to maintain order and synchronisation during incidents and crises. These plans should incorporate lessons from previous incidents and exercises, which may influence required adjustments or procedural standards. These plans should also identify important individuals and teams within the organisation, and their roles and responsibilities in times of crisis.

Prepare in advance

  • Conduct Exercises: Running regular mock exercises can help organisations test several components of incident response both internally and externally. This helps ensure that their practices and procedures for addressing a crisis are practical, feasible and effective.

    Governments worldwide are also stepping up information-sharing and resilience-building exercises to safeguard the financial ecosystem. In April 2023, the Monetary Authority of Singapore (MAS) and the US Treasury collaborated to conduct bilateral workshops to enhance cybersecurity policies and protocols. These workshops were aimed at bolstering the current procedures for information exchange and improving coordination for incident response related to cyberattacks involving banks operating in the two markets.

    Apac financial firms can also participate in exercises conducted by member-driven industry communities such as FS-ISAC that enable organisations to build resilience through training, exercises, and sharing defence strategies.
  • Implement Effective Governance: Organisations may need to seek effective governance from both internal and external partners to ensure they operate and develop enterprise-wide plans that comply with applicable laws and regulations and are efficient, feasible and safe to execute.

To stay ahead of the latest tech trends, click here for DigitalEdge Section

By pivoting towards a proactive approach to building operational resilience, the financial sector can better navigate the complexities of today's interconnected world, and ensure continuity, adaptability, and robustness in the face of evolving risks.

In addition, a proactive approach to operational resilience can reap significant business benefits, including reducing the cost of disruption, increasing customer loyalty and trust, efficient allocation of resources, and increasing agility to pursue new market opportunities.

The principles above should guide organisational efforts to develop muscle memory to mitigate future risks. However, it is imperative for the industry to adopt a comprehensive approach, which includes incorporating intelligence and knowledge sharing, regular cyber exercises, and a mindset shift in prioritising cyber risk, among others, to build operational resilience.

Christophe Barel is the managing director for Apac at FS-ISAC

Highlights

Re test Testing QA Spotlight
1000th issue

Re test Testing QA Spotlight

Get the latest news updates in your mailbox
Never miss out on important financial news and get daily updates today
×
The Edge Singapore
Download The Edge Singapore App
Google playApple store play
Keep updated
Follow our social media
© 2024 The Edge Publishing Pte Ltd. All rights reserved.