Posts

Business Resiliency and Disaster Recovery (DR) are critical for any organization, but these activities are particularly vital for financial services firms.

Sensitive data and compliance requirements create additional pressures to safeguard systems and ensure data recoverability.

Furthermore, the reputational damage caused by data loss or an extended outage can be catastrophic.

In today’s uncertain atmosphere, it’s important to note that a disaster can come in many forms — such as a company that is suddenly under quarantine that doesn’t have the infrastructure in place to support remote operations.

Taking the following steps can help assure operational continuity and data protection.

If your firm does not currently have an experienced internal IT team, a trusted managed IT provider should be engaged to provide guidance.

1. Establish a Business Continuity Plan (BCP):

  • Meet and collaborate with leadership from all teams to identify and document critical data, systems, and applications.
  • Perform a risk assessment of this list. Identify any potential internal and external threats, the likelihood of each, and the severity of impact.
  • Classify data and applications according to criticality.
  • Consult with business line managers to define recovery objectives for each classification.
  • Identify and document any compliance requirements for data backups and disaster recovery (DR).
  • Include considerations for potential scenarios including but not limited to office closures and quarantines.
  • Determine the appropriate tools and processes to meet the identified requirements.
  • Select at least one Point of Contact (PoC) and secondary contacts to execute and oversee the BCP in a disaster scenario.
  • Include names and contact details for all BCP team members.
  • Document and communicate the plan. Ensure that all stakeholders and dependent personnel are informed of the BCP and have access to it.

2. Test Your Business Continuity Plan

  • Review the results from the last test. Confirm gaps have been remedied.
  • Perform a walkthrough with your BCP team, IT provider, and cyber/risk consultants to ensure everyone is clear on their role and the plan as a whole.
  • Execute the plan and document any newly discovered gaps, challenges, and improvements.
  • Make relevant adjustments, if needed.

3. Validate Vendor Readiness

  • Verify the ability of critical service providers to support your business during a disruption.
  • If a service provider is not prepared, consider an alternative vendor or work with them to see how you can assist.
  • Develop alternative processes (e.g., manual or in-house) to ensure the continuation of critical business operations.

4. Ensure Remote Access Capabilities for Essential Personnel

  • Provision laptop computers for personnel who are essential to business operations.
  • Require employees to carry laptop computers home each day.
  • Confirm remote access solutions like VPN or VDI are operational and that personnel are trained in usage.
  • Test employees’ ability to work remotely (e.g., rotate staff to work remotely on selected days during the week to identify issues proactively in anticipation of a facility closure or quarantine order).

5. Conduct Training

  • Conduct a webcast or to review the BCP with your entire organization.
  • Ensure BCP team members understand roles and responsibilities during a business disruption.
  • Conduct tabletop exercises in preparation for office closures, quarantines, and health emergencies as well as public transportation and critical service provider disruptions.
  • Ensure employees understand how to work remotely and who to contact regarding access issues.

By following the above steps your firm will be prepared for business disruption and will be positioned to minimize the impact.

If you or your firm needs any assistance with developing a business continuity plan, IT strategy, cybersecurity solutions or compliance reporting, Coretelligent is here to help.

Contact our team of experts at 855-841-5888 or via email to info@coretelligent.com to schedule your complimentary initial consultation

Financial services institutions have long been a top target for cyber threats. Access to a large amount of sensitive and confidential information makes the financial sector a target-rich environment for cyberattacks. In addition to mitigating cybersecurity threats, financial firms must also prioritize maintaining and strengthening compliance. These balance of these two priorities presents a unique set of challenges for companies in financial services.

With the inherent diversity of the financial services sector and the shifting cybersecurity and compliance landscape, identifying a one-size-fits-all set of vulnerabilities for all financial services institutions is impossible. However, there are common vulnerabilities to be aware of.

  • Reactively Evaluating Current Cybersecurity Posture:

    Institutions cannot address cybersecurity and compliance vulnerabilities of which they are unaware. Moreover, leaving these vulnerabilities unaddressed can have costly consequences. If unaddressed until an incident occurs, institutions have no choice but to utilize a reactive approach that can leave the business facing outages and shaken customer confidence. Instead, financial service firms should consider taking a proactive approach. By utilizing Coretelligent’s Cybersecurity Evaluation Checklist designed for financial services as a jumping-off point, financial service firms can do an initial assessment of existing vulnerabilities to discuss with a managed service provider (MSP).

  • Ransomware Attacks:

    As the world continues to become more digitally integrated, opportunities for ransomware attacks grow exponentially. In a ransomware attack, attackers use malware to gain access to your organization’s systems or data and hold that data until a ransom is paid by the organization. The results of these attacks are devastating. In addition to the price of the ransom, there are legal fees and other costs associated with damage control, as well as potential loss of data.

  • Access Vulnerability:

    Flaws in various levels of access to information can leave sensitive data exposed and vulnerable for attackers. Cybersecurity integration is key across all divisions and at all levels of access in an organization. Cybercriminals will seek to exploit any weaknesses identified at any level, regardless of the internal structure of the business.

  • Managing Compliance:

    The evolution of information technology has increased the compliance burden on the financial services industry. Financial service organizations are amongst the most regulated business segments in the U.S. However, simply maintaining compliance may no longer be enough. Instead, actively managing compliance risk and strengthening compliance overall is key in earning customer confidence and avoiding costly penalties.

  • Business Continuity:

    What comes next if the worst happens and a cyberattack hits your company? Is your data backed up safely? How quickly would you be able to restore access to users? A proactive and dynamic backup and disaster recovery solution is critical for preventing business interruption and loss of essential data, which could trigger a compliance violation. Off-the-shelf, onsite backup solutions often do not provide the level of performance required to meet the needs of financial and investment organizations. It is vital to establish a solution before an outage to ensure timely recovery and minimize interruption time for clients.

Addressing security and compliance vulnerabilities may seem challenging, but Coretelligent can help. Working with Coretelligent means working with an IT partner who understands both the security and compliance needs of the financial services sector. Contact us today at 855-841-5888 or fill out our online form.

FINRA Rule 4370

FINRA Rule 4370

The Financial Industry Regulatory Authority (FINRA) recently announced the completion of the review process for FINRA Rule 4370 and upholds the Rule as it currently stands. The agency put the Business Continuity Plan (BCP) Rule 4370 into place to ensure continuity of operations for broker-dealer firms following a disruption or disaster. FINRA based its decision to keep 4370 intact on the recently completed BCP Rule and Pandemic Review, both of which highlight the benefits of the Rule.

The FINRA BCP Rule requires broker-dealers to maintain continuity plans designed to ensure their ability to resume business operations after an interruption or in the event of a disaster. Regulatory Notice 21-44 provides clarification of FINRA’s compliance obligations for broker-dealers waiting to see where the agency would land regarding updating or maintaining the Rule.

Background on Rule 4370

In early 2019, announced a review of the Rule to determine its effectiveness and viability. In addition, the agency considered the costs, risks, and benefits associated with developing, maintaining, and implementing BCPs against not utilizing them.

According to FINRA’s announcement, stakeholders reported that Rule 4370 was working as intended. FINRA observed that the Rule’s “flexible, non-prescriptive, and risk-based approach has been effective in ensuring firms of all sizes are prepared for potential business disruptions.”

Additionally, during the early stages of the pandemic, FINRA also published Regulatory Notice 20-08, which recommended that member firms review their plans for pandemic preparedness.

What Does This Mean For Your Firm?

FINRA has made it clear that firms should continue developing and maintaining plans according to Rule 4370. However, the agency will not be providing specific guidance; firms are on their own when it comes to fulfilling the requirements for compliance.

What Are the Next Steps?

New and established brokerage firms will need to evaluate their status regarding Rule 4370 to guarantee compliance and that they are operating with an effective BCP. However, a BCP alone is not enough to ensure continuity.

For firms looking to assess their disaster readiness and compliance, there are six critical components of a BCP that will be there when you need it.

    1. Establish or Evaluate Existing BCP
    2. Test BCP
    3. Validate Vendor Readiness to Support BCP
    4. Ensure Remote Access for Essential Personnel
    5. Educate Personnel and Conduct Training
    6. Routinely Repeat this Process

By following these steps, your firm will be prepared for potential business disruptions and remain compliant. Of course, there is more involved in each of these steps. For more granularity, read our post, Business Continuity Checklist for Financial Services Firms, which outlines just how to assure operational continuity and data protection.

Coretelligent is here to help your firm navigate the details in developing and maintaining a business continuity plan. We can also assist with incorporating it into your IT strategy, cybersecurity solutions, and compliance reporting. As an MSP with considerable experience within the financial services industry, Coretelligent understands the regulatory imperatives required of you and your business. That is one of the main benefits of working with an IT partner with deep industry knowledge and expertise.

Reach out and we will work with your IT and compliance teams to review your BCP and develop a roadmap to make sure your firm is secure.