Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Business continuity management and cyber resiliency
Introductions Eric Wunderlich, CRMA, ABCP Senior Manager Risk and Internal Audit Eric.Wunderlich@bakertilly.com 312 729 8185
Agenda > Business Continuity Management Overview > Top Threats and Vulnerabilities > Trends and Other Considerations
The Cost of Disruption IT OUTAGE $53,210 Minor incidents, average cost per minute of downtime Up to $14.25M Average cost of IT outage over 24 months CYBER / DATA BREACH $11.6M Average cost of cyber attack and data breach Up to $58M Average costs for remediation SEVERE WEATHER 2 nd Rank for sources of supply chain disruption Up to $360,000 Average cost of severe weather related events Source: Business Continuity Institute, Counting the Cost, 2014
Cybersecurity in Insurance > Higher incidence of cybersecurity threats and attacks 2 nd most frequently hacked sector and top ten sub-sector 41 known security breaches in the insurance sector 3.5 million identities stolen in the finance/insurance industry in 2016 > Common attacks include phishing and ransomware 60% of all attacks were insiders Of that 60%, roughly two-thirds of these insider attacks were carried out with malicious intent Ransomware is mostly distributed via e-mail, with an average of 1,200+ global ransomware detections daily FBI estimates that $400 billion in intellectual property is leaving the US each year
Business Continuity Defined Business Continuity Management is a management process that identifies risk, threats and vulnerabilities that could impact an entity s continued operations and provides a frame-work for building organizational resilience and the capability for an effective response. - Disaster Recovery Institute Business Continuity Management is defined as a holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities. - ISO 22301:2012
Business Continuity Overview 1 2 3 4 5 6 PROGRAM INITIATION AND PLANNING RISK EVALUATION AND CONTROL BUSINESS IMPACT ANALYSIS (BIA) DEVELOP CONTINUITY PLANS TRAINING AND IMPLEMENTATION TESTING AND MAINTENANCE ONGOING PROJECT MANAGEMENT AND COMMUNICATION
Business Continuity Overview Plan Responsibility Focus of Plan Objectives Emergency Response Facility Get the people out safely Develop procedures and policies to ensure the safety of employees, visitors, and community immediately after the occurrence of an event. Crisis Management Crisis Management Team Protect the company Focus corporate efforts to respond to any incident that has a significant negative impact to the enterprise. Business Continuity Facility or Major Function Get the business up and running Establish procedures that provide for the continuation of business operations in the event of a crisis on the corporate, divisional, or site level. Disaster Recovery IT Get the systems up Establish system recovery plans to restore technology (access to data and systems) in the event of a disaster.
Business Continuity Overview Incident Time Zero Business Continuity Plan Objective: back-to-normal as quickly as possible Timeline Within minutes after the onset of an event Emergency Response Minutes to days Crisis Management Minutes to days depending on what s needed to survive Business Continuity Minutes to days IT Disaster Recovery Back to Normal
Program Initiation and Planning > Establish the need for BCM Regulatory and/or contractual Organizational objectives Competitive advantages > Obtain leadership and management support for BCM Develop mission statement and/or charter Establish objectives and program structure Identify budget and resource needs Develop project plans and timelines Assign responsibilities > Communicate, communicate, communicate Establish clear communication channels Disseminate across the organization
Impact Risk Evaluation and Control > Gain agreement on risk assessment and tolerance Understand organization s risk tolerance Establish measurement criteria > Conduct information gathering activities Develop risk universe Collaborate with other groups and functions > Evaluate and classify risk impacts and vulnerabilities Evaluate impacts of risks related to availability of personnel, information technology, and communication > Identify and evaluate effectiveness of controls and safeguards High Impact Moderate Likelihood Moderate Impact Moderate Likelihood Likelihood High Impact High Likelihood Moderate Impact High Likelihood
Business Impact Analysis > Establish process and methodology Define objectives and scope Identify criteria to quantify and qualify impact Determine data collection and information gathering approaches > Conduct data gathering activities Processes and/or functions Minimum resource requirements Interdependencies > Prioritize processes and determine order of recovery Identify gaps between current recovery capabilities and results of BIA
RTO and RPO Illustration Data Backup Initial Data Loss Post-Disruption Data Loss (Backlog) Time Disruption Recovery of operations (BC strategy activated) Function / Service / Application operational to owner s definition Time RTO Business process functional
Develop Continuity Plans > Identify available continuity and recovery strategies Requirements for business functions and operations to meet RTO and RPO Internal and external options» i.e. Repair/rebuild, alternate site, manual workaround, reciprocal agreement, etc. Assess viability of recovery strategies > Develop emergency response strategies Protection of life, property, and environment Consult and coordinate with public agencies for response strategies Develop crisis communication plan and identify authorized spokesperson > Document recovery plans Site level plans, functional or departmental plans, scenario-based plans, etc.
Training, Testing, and Maintenance > Establish objectives of the training and exercise programs Obtain support of senior management and plan sponsors Identify desired level of expertise to be achieved Align activities with recovery priorities and tactical requirements > Identify appropriate audiences Prioritize groups based on awareness and training needs Goal is to increase awareness and establish confidence > Develop a realistic, progressive, and cost effective program Start simple and build on mastery
Top Threats and Vulnerabilities
Threats and Vulnerabilities Source: Business Continuity Institute, 2016 Horizon Scan Report
Threats and Vulnerabilities (cont d) Source: Business Continuity Institute, 2016 Horizon Scan Report
Cybersecurity Are You Prepared? Consider these Many companies lack the technical means to detect intrusion and data exfiltration activities 69% of data breaches were externally discovered by law enforcement or customers (Source: Mandiant M-Trends 2015 Report) Median number of days from earliest compromise to detection: 205 (Source: Mandiant M-Trends 2015 Report) Business Continuity and Incident Response plans are critical to minimizing exposure from cyber attacks Involving Business Continuity Management saved on average $9 per record breached (Source: 2016 Cost of Data Breach Study: Global Analysis from Ponemon Institute) Communication and notification protocols can help to ensure timely and relevant information for internal and external stakeholders Customer/Supplier notification protocols Media response and spokesperson
Cybersecurity Are You Prepared? CYBERSECURITY RISK ASSESSMENTS Malware CYBERSECURITY/PRIVACY COMPLIANCE READINESS Services: 31% of Spear Phishing attacks All other Industries: 21% of Spear Phishing attacks INDUSTRIES AT RISK Retail/Wholesale: 10% of Spear Phishing attacks Manufacturing: 20% of Spear Phishing attacks Finance, Insurance, Real Estate: 18% of Spear Phishing attacks Hackers Espionage Identity thieves VULNERABILITY ASSESSMENT/ PENETRATION TESTING CYBERSECURITY ARCHITECTURE & IMPLEMENTATION CYBERSECURITY POLICY & PROGRAM DEVELOPMENT Source: Symantec Internet Security Threat Report 2015 Regulations SOC REPORTING
Trends and Other Considerations
How does BCM fit into your organization?
What does your response plan cover?
How often do you perform simulations?
Who is involved in the simulations?
How often are plans invoked and why?
What scenarios should we plan for?
Feedback from BCP Invocation
Use of Technology
Self Assessment Questions Customers Do we have a plan to reduce risk to our customers? What is the risk of losing a critical customer or channel? Supply Chain Are we reliant on a single supplier? Do we have alternatives identified? Do we know the financial health of our suppliers? Staff Do staff contracts give us flexibility (i.e. hours, location) to deal with major disruption? Do staff know what to do if office or facility is inaccessible? Reputation Information Technology Sites & Facilities Have we prepared messages for dealing with a major disruption or crisis? Do we have trained spokespeople for communicating with media? Have we identified all critical information and IT applications? Is all critical information backed up and readily accessible? Have we appropriately addressed cyber security risks? Do alternative office and facility locations exists? Are employees aware? Have we identified and communicated with local agencies and municipalities for emergency response protocols?
Critical Success Factors 01 Leadership Support 02 and Buy-In Awareness and training programs Clear lines of communication Communication and Awareness Awareness and training programs Clear lines of communication Structured and 03 Disciplined Approach 04 One size does not fit all Align to organizational objectives and requirements Ensure program and plan include relevant components (The 3 P s) Continuous Improvement Measure and track performance Testing and maintenance activities
"The time to repair the roof is when the sun is shining." John F. Kennedy
Eric Wunderlich, CRMA, ABCP Senior Manager Risk and Internal Audit Eric.Wunderlich@bakertilly.com 312 729 8185 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.