How to meet regulatory expectations for cyber resilience

In its recent cyber resilience oversight expectations publication, the European Central Bank (ECB) defines that “Financial stability may depend on an FMI’s (financial market infrastructures) ability to settle obligations when they are due. Therefore, an FMI’s arrangements should be designed to enable it to resume critical operations rapidly, safely and with accurate data in order to mitigate the potentially systemic risks of failure to meet such obligations”. It goes further into details and identifies that “The FMI should store backup copies in an alternate storage site which is not co-located with the operational system, with transfer rate consistent with actual recovery point objectives”.

Europe is not alone. Chairman Jay Clayton from SEC (U.S. Securities and Exchange Commission) stated not long ago that “Cybersecurity efforts must include, in addition to assessment, prevention and mitigation, resilience and recovery” while National Cybersecurity Center of Excellence (NCCoE) says “It is imperative for organizations to recover quickly from a data integrity attack and trust the accuracy and precision of the recovered data” in its Recovering from Ransomware and Other Destructive Events publication.

Meeting such expectation is not trivial for a large Financial Firm; Commonly such firms have dozens of datacenters in different locations hosting thousands of file servers and database servers that need to meet the recovery point objective (RPO) – at any given time.

Continuity Software helps the world’s leading organizations, including 6 of the top 10 US banks, to achieve resilience for their hybrid IT environments. One of the tools we provide them with is the Data Protection Status report (powered by AvailabilityGuard™). This report will automatically map out how data is being protected (see samples 1-2); this include showing:

• Solutions used to protect the data.

First, it allows you to know whether the data is protected at all – does it have any remote copies?

Then for protected data the report will show what solutions are used to maintain a remote copy – for instance it will show that EMC VPLEX active-active storage mirroring or Hitachi TrueCopy replication is in place or that Database Log Shipping is used to maintain a remote copy.

• Actual available recovery points.

One of the great things about AvailabilityGuard in general and specifically this report is the ability to measure the actual currently available recovery points. As noted by ECB, it’s not enough to protect the data, FMIs must also ensure recovery point objectives are met. AvailabilityGuard calculates the actual age of each copy, local and remote, whether the copy is produced at the storage host, database or virtual machine level. This feature allows IT organizations to review on an ongoing basis the actual recovery points and automatically identify when recovery point objectives are violated – and remediate it before a cyber scenario occurs.

• Location of the active system versus the location of the copy.

As indicated by ECB, it is utterly important to ensure that the data copy is stored on a separate storage system located remotely in a different facility. This ensures data will remain available and secured under various cyber scenarios. Thus, the report will present the location of the source active data versus the location of the data copy.

Sample 1: High level Protection Status Summary for E-Payments business service

Sample 2: Detailed Protection Status for E-Payments business service