Principles for Data Recovery from a Severe Cyber Scenario

Overview:

Financial institutions build and sustain capabilities to mitigate the impact of events that may compromise the confidentiality, integrity or availability of firm and customer data. As part of this process, financial institutions plan and exercise how they would respond to an extreme-tail event such as a highly destructive cybersecurity incident so as to mitigate harm to financial markets, counterparties, customers and the investing public. Regulatory agencies around the world are similarly focused on the resilience of an institution’s critical operations during and recovering from a potential disruptive event.

This paper is intended to prompt increased dialogue between financial institutions, trade associations and regulatory authorities on a rapidly evolving topic. It lays out a set of principles that could align regulators, the financial sector and all three lines of defense within an organization to a cohesive view of resilience. A key objective of this paper is to highlight the challenges in meeting regulatory obligations during extreme cyber events that result in data corruption.

Meeting today’s regulatory mandates may be aspirational, and the goal of the financial institution is to ensure that firm and customer information is not at risk. If not implemented safely, rapid recovery based on mandated regulatory guidelines could harm investors, a firm’s ability to service their customers and, potentially, financial stability across the sector.

Regulators should support industry resiliency and recovery practices that strive for a safe but rapid recovery, recognizing that firms and regulators have a shared interest in recovering critical operations as quickly as possible, but only if done in such a way that will not result in further harm to the firm or financial markets.