Most approaches to disaster recovery and business continuity typically prioritize data recovery without adequately addressing the need to maintain services during periods of impairment.

The Global Resilience Federation’s (GRF) Business Resilience Council (BRC) took action to address this gap in 2021 by establishing a multi-sector working group: the Operational Resilience Framework (ORF).

The ORF offers a set of guidelines and tools designed to aid companies in recovering immutable data while also minimizing disruptions to services. What sets this framework apart is its focus on both data recovery and service continuity, providing a comprehensive approach to resilience.

Designed to be versatile and applicable across various industries, the ORF is also aligned with established standards and controls, such as those outlined by the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO), ensuring compatibility and integration with existing frameworks.

An Example of How GRF Works

Launched in 2017, the GRF plays a crucial role in safeguarding essential services and critical infrastructure from cyber threats, criminals and rogue states. It facilitates collaboration and information sharing among BRC community members and across different industries to strengthen their defenses and response capabilities. This includes the establishment of trusted networks where intelligence can be shared about potential threats and vulnerabilities, enhancing the resilience of various sectors against cyber and physical threats, and ultimately helping to protect the essential services we all rely on.

As it pertains to the banking industry, over the span of several years, banks experienced persistent Distributed Denial of Service (DDoS) attacks, primarily targeting online banking services. These attacks involved the use of botnets, which are networks of compromised computers controlled remotely, to flood online banking systems with simultaneous access requests, rendering them inaccessible to legitimate users. Orchestrated by Iran through a proxy group they financially supported, over 50 banks were targeted in four distinct waves, each lasting weeks.

The severity of the attacks led to significant disruptions in online banking services, prompting urgent calls from leadership seeking guidance on how to respond. A collaborative effort was launched that asked affected banks to share information on how they were mitigating the attacks in real-time. By pooling their knowledge and resources, these banks were able to bolster their defenses and protect themselves from further damage.

The insights gained from this collaborative effort were shared with other members of the banking industry, enabling them to defend themselves against similar threats. Ultimately, through collaboration and knowledge-sharing, the industry was able to effectively counter DDoS attacks and enhance the overall security of financial institutions.

Operational Resilience Framework Community Tabletop Exercise Series

GRF and Nacha have joined forces to provide a free tabletop exercise aimed at evaluating your organization's resilience following a simulated but realistic cyber incident involving wiperware, which causes a significant ACH outage. This exercise covers various aspects of such an event, including IT operations, risk management, media handling, engagement with law enforcement and regulators, and an assessment of your organization’s priorities. Participants will engage in discussions and take steps to respond to the simulated emergency while facilitators guide the exercise's progression and introduce additional information.

This half-day event aims to enhance awareness of operational resilience within the ACH community and promote greater maturity by sharing best practices in cyber risk management, resilience, and continuity. Assess your organization’s readiness to recover from a destructive payments system attack.

Sign up for one of these free sessions here. The financial services exercise is designed for resilience practitioners from commercial banks, credit unions and core systems processors, and it is being offered to financial institutions at no cost.

Multi-Sector Exercise Is in Development

GRF is in the process of developing a similar exercise that would target all sectors’ systems and impact their payments and treasury operations. You can sign up to receive more information about this exercise, slated to be held in the second half of 2024.