BCP testing key to cyber attack recovery for credit unions

It’s been a few months since the FFIEC released the revision to the BCP booklet called Appendix J: Strengthening the Resilience of Outsourced Technology Services. In the time elapsed, we’ve had a chance to review this information in light of business continuity planning and the increased requirements related to vendor management.

Two key recommendations made are the need to participate in critical third party service provider (TSP) testing, and coordinating cyber-attack incident response plans.

As stated, it’s important to request the opportunity to participate in disaster recovery exercises with your critical TSP. However, depending upon the provider, getting on the test list can take some time. Between now and then it’s important to review the results of tests conducted with other financial institutions as may be provided by the TSP.

Appendix J also expands on cyber security concerns and the need to coordinate incident response plans with your TSP. So here’s an opportunity to get the most out of your testing exercise with your TSP. Schedule a tabletop exercise of your incident response plan with key members of your BCP team. Request a copy of your TSP’s incident response plan and create a cyber-attack scenario which theoretically disables the TSP from providing service to your financial institution. Walk down through how the TSP’s incident response plan would handle this scenario and also ask each key team leader from your BCP team to provide feedback on how this disruption would affect their functional area.

One key benefit includes identifying any gaps between your incident response plan and that of the third party service provider. Specifically, you will learn who is responsible for notifying your customer or member, when they should be notified, and how. In addition, you will be able to assess the preparedness of your BCP team leaders and associated plans in the event of a cyber-attack.

Your BCP planning efforts should include incident response, especially those related to cybersecurity. A table top exercise like this will help you assess both and get the most out of your limited time.

Steve Fochler, CBCP is Senior Business Advisor for Risk Services at Strohl Risk Solutions. He can be reached at sfochler@erm365.com

Steve Fochler

Steve Fochler

As Senior Business Advisor, Risk Management Services Steve is responsible for helping Strohl Risk Solutions customers succeed. Steve leans on his twenty-eight (28) years of experience to help financial institutions, ... Web: www.strohlrisksolutions.com Details