Over the past several years, I’ve had the pleasure of working with many financial institutions (FIs) reviewing and testing both their Incident Response Plan (IRP) for Cyber Security and Business Continuity/Disaster Recovery Plans (BC/DRP). I am pleased to say that most FIs have plans in place to deal with unplanned outages, whether cyber or disaster related. However, the effectiveness of those plans to truly protect the FI and its customers is highly dependent on testing the plan at various levels.
One of the challenges of testing is keeping people involved and excited about the testing process. Getting them to show up for the tests, and more importantly, to follow up and modify their portion of the plan based on the test results.
I want to share with you an approach that I have used to instill excitement for team members into the testing process and break the monotony and boredom associated with testing. This approach has been utilized in many FIs, at conferences, and at the Graduate School of Banking. It is currently being conducted at our Jack Henry Cybersecurity Forums, which is a free session hosted by Jack Henry for FIs across the country.
The key elements making this approach unique include interaction, collaboration, education, humor, and drama. I will highlight critical areas where you can customize your exercise to capture the best results. The exercise works best when representatives from each business unit attend along with the executive team, and requires a strong facilitator and advanced planning. Below is the process for executing the mock exercise:
- Review current plan and previous test results. The overall objective of the test should be to identify any gaps in the BCP or IRP. This should include both known and unknown gaps, elements of the plan that are outdated, new services that are offered that don’t have the proper recovery strategies and procedures in place, etc. A review of the previous test results is also required to ensure that elements from the previous test that required modifications have been corrected and are now ready for testing.
- Determine exercise scenario, scope, and scenario narrative. This is where you determine if your exercise will address a cyber-attack or natural/man-made disaster. Once the scenario is determined, what will be the scope of the incident? Will it impact the entire FI and customer base or just particular areas and specific customers? Will the incident be localized to the FI or impact the entire community, i.e. isolated power outage as compared to a tornado or hurricane?
Once the scenario and scope are decided on, it is now time to portray the event through the narrative – the storyline the drill participants will follow. It should include dates and times, and portray interactions with employees, customers, vendors, etc. The idea is to make the storyline as close to an actual event as possible. The narrative should be delivered in phases and after each phase, allow time for team members to address the situation. This will assist in maintaining the participants interest throughout the exercise because everyone loves a story. Also, since participants will have to anticipate what the next steps and challenges will be, a mystic atmosphere will be generated which holds the interest of participants.
I would also suggest using pictures and videos to enhance the realism of the scenario and magnify the emotional experience of the participants. Think: tornado/hurricane pictures, cyber attackers, screenshots resulting from ransomware attack.
- Develop drill challenge questions or situational injects. By adding the dimension of challenge questions reflecting real-world situations keeps team members constantly thinking and forces them to go deeper with their responses. The challenge questions should be geared toward executive management, business units, and vendors; and force decisions having to do with operations, customers, employees, vendors, and regulators.
For example, if the scenario is a cyber-attack in which customer and employee data was extricated from the FI and is now being sold on the dark web, a few challenge questions would be:
- How would you confirm the data that was being sold on the dark web came from the FI?
- What entities would you notify to assist in the assessment of the situation?
- At what point will employees/customers be notified, and what specifically will your message be to them? Do you notify all employees/customers, or just a segment within the groups?
The typical flow would be to provide a phase of the narrative and then present a challenge question. Once the challenge question is presented, allow time for the groups to collaborate and develop a response.
- Identify drill participants and roles. The participants involved in the exercise will depend on the scenario and scope of the incident. Our exercises have ranged from a single business unit to the Crisis Management/Incident Response Team. I have also used this approach for an entire FI employee base in one setting.
In addition to identifying the participants, also determine roles to be played out by someone: an angry customer, a supporting vendor or support agency, a news reporter. Have the role players confront employees as they would in a real situation. Believe it or not, this type of confrontation helps set the stage for how a real event would unfold while driving emotion into the equation. This is another element that makes this approach more exciting and interactive – the dramatization of the event.
- Conduct the drill. The length of the exercise will vary on its scope and participants. The exercise can be scheduled or occur without the participants’ knowledge. The idea is to have fun while remaining serious. I have found that the exercise is more productive when conducted with representatives from multiple business units. Have the representatives from each business unit sit together so they can collaborate and make decisions based on the challenge questions that are put in front of them for their department.
For some of the decisions made, have a group spokesperson share the results to the larger group so everyone is aware and can provide additional feedback. Someone within the group should also be documenting the responses to the challenge questions and use the results to improve the overall BCP or IRP.
Below is the flow that the exercise should be conducted by:
- Review drill and modify the plan. Conduct a meeting within a week with the major participants to discuss the results of the drill. This is where you can measure your test objectives with the actual results. For those objectives that were not met or new elements that derived from the exercise, an action plan should be developed and assigned for repair. The results should be documented and presented to the board for approval.
In summary, the key to effective testing is ensuring participation by the key stakeholders on an ongoing basis. There should always be an attempt to determine better and different methods of igniting the testing exercise to keep participants involved. And remember, build and test your plan to get through an actual event, not just to satisfy the examiners.
Looking for free resources to help you bolster your cybersecurity strategies? Visit the ProfitStars Cybersecurity Awareness Resource Center today for tips and helpful sight to elevate your #FIcybersavvy!
Like this article? Subscribe to the Strategically Speaking blog to gain access to weekly articles from our industry leaders right from your inbox!