Banking on operational resilience
The commercial bank’s dependence on information technology and communications systems makes them vulnerable to cybercrime. The dependence of businesses and people’s lives on banking services means that when banks are victims of cyberattacks a vast section of society faces major disruption.
The cyberattack that temporarily disrupted Bank of Valletta services on Wednesday showed how important it is for banks to anticipate the consequences of such attempts and to have plans in place to restore services as soon as possible.
Many perceive cyberattacks and technology failures as a failure of IT systems. The reality is that such mishaps, which one has to assume will happen at some time, cause business problems that could lead to a crisis if banking services are not restored in a reasonable time. The dominant position of Bank of Valletta in the local banking market means the tolerance of systems downtime should never be more than a few hours, at worst.
The headline news following Wednesday’s cyberattack is that no customer account was affected when €13 million were illegally syphoned from the bank. The Prime Minister sought to put depositors’ mind at rest saying in Parliament the situation was under control and that no depositor would lose any money.
However, the crux of this issue is that many businesses and individuals could not get on with their daily lives because the payments system failure meant they were unable to access the money in their bank accounts. It is on this issue that customers would want a reassurance that the business disruption would be very temporary. The rather quick resumption of most services at Bank of Valletta is indeed reassuring.
The continuity of business services is an essential component of operational resilience. While every effort should be made to enhance a bank’s IT system to protect against cyberattacks, it has to be assumed that incidents will happen. When banking systems fail, it is not just the resilience of the IT infrastructure that matters. It is the resumption of business services that must be resilient.
Cyberattacks happen suddenly. However much a bank’s management may have worked on preparing a business continuity plan, the real test comes in the way an affected bank manages the crisis that often follows a cyberattack.
A business impact assessment is complex and takes time. Understandably, customers start to ask questions. The safety of one’s deposits is a concern. However, the biggest worries relate to payment issues whether one is about to travel and use the credit card to pay for expenses or settle the bill at a supermarket when buying essentials.
A critical element of an effective business continuity plan is a good communications strategy. Customers interact with banks through branches, phone communication and, increasingly, by internet banking. Clear, honest information about the way that people are affected by a systems failure is a top priority for a bank’s senior management in a crisis. The same applies to politicians who make public statements on such situations.
Improving operational resilience is a journey and not a destination. Directors of banks and, indeed, of any service provider need to make sure they invest money in building up human and technological resources to understand and deal with cyberattacks and other IT failures. Operational resilience is always the most critical element of financial market integrity.
This is a Times of Malta print editorial