Without access to data Credit Union’s can’t operate. As the internet has matured and the cost of data storage has dropped, protecting complex data sets has become a priority for Credit Unions and other businesses. Business continuity planning (BCP) and disaster recovery (DR) have emerged as essential because severe disruption to business is perceived as more likely than ever before.
These days, businesses must be prepared for everything, from natural disasters through to hacks and data security attacks.
Equifax Inc., a leading U.S-based provider of direct and credit marketing applications to Credit Unions suffered two hacks in quick succession in 2017, which lead to the retirement of two of its top security executives. These breaches had serious implications for Credit Unions using their services. Having a proactive framework in place prior to these breaches may have meant impact on affected companies would have been detected sooner and contained. Instead, they faced some tough fire-fighting decisions with cost being a major consideration, as well as impact on operations while the investigation was carried out.
The digitisation of financial services has brought about the decentralisation of information; we now live in a world where offering a viable alternative to a physical Credit Union is imperative, and disruptions to these services causes downturns in member perception. As well as ensuring members’ continued access to their data, Credit Unions must also be able to meet regulatory demands. Without a proactive business continuity plan which includes regular and periodic security checks, the Credit Union is at risk of falling foul of both their members and the CBI.
So what is required from Credit Unions when it comes to protecting business critical data? In order to meet these responsibilities, it’s important Credit Union’s have a thorough evaluation of current IT provisions. It’s important to ask:
- If disaster strikes, how is DR invoked and delivered onsite?
- After an event, how long will it be before my Credit Union can complete transactions and run reports again?
- In extreme cases, can my Credit Union’s entire operation be replicated (complete with hardware) in another branch or public building so we can continue to serve our members?
- Finally, how does our current IT partner stack up when faced with these questions?
Business continuity planning and testing
Both BCP and DR strategies are concerned with protecting your Credit Union’s data, but while disaster recovery is concerned with storing raw data and protecting it, a business continuity strategy takes into account how a business will operate beyond a seismic event.
- What is Disaster Recovery?
DR is the setting up and monitoring of continuous off-site data replication to your supplier’s servers, usually located in a data centre. Packets of data are encrypted and sent over a secure VPN or MPLS connection to the data centre every few minutes. A good supplier will offer a hardware recovery kit which is stored and maintained by the supplier and ensure a data and IT system recovery plan is in place. Disaster recovery is invoked when unforeseen circumstances such as a fire or flood, earthquake, or geological processes cause complete disruption to a Credit Union’s day to day operations. Data backups are important to restoring operations to a time before the event.
- What is Business Continuity Planning?
Business continuity is a system or strategy that enables Credit Unions to resume normal business operations with minimal disruption as a result of hardware issues. It involves the continuous automatic transferral of data from a primary server to a standby secondary server, which takes over in the event of a primary server failure. Having this standby failover server gives a shorter time to restart. All relevant core system files and folders are delta replicated in real time on the second server. These include database files, application programs, and a reports directory. These servers monitor the status of each other, and a quality provider will ensure they’re programmed to ‘step up’ within 5 minutes of an outage being detected in the partner server.
Both strategies are nothing more than nominal if just written down and filed away within the pages of a service level agreement. For example, each data migration that occurs introduces the possibility of a problem and raises the risk that data will be lost. Therefore, checking that migrations are complete and comprehensive are integral to your Credit Union’s proactive approach to managing its data.
If your BCP and disaster recovery plan doesn’t include the proactive monitoring and testing of your IT infrastructure you may face increased scrutiny from regulators who have expressed a need for Credit Unions to be more involved in this process. A proactive DR/BCP has to be conceivably implemented and periodically reviewed. This boils down to a need for calendarised tests and regular liaisons with the Credit Union’s IT services provider(s).
Maintaining Business Continuity with proactive tests and inspections
Business continuity planning means nothing without constant testing. For DR/BCP, when the failover and mirroring process is automatic, it can be easy to assume it will be working in the background without proper oversight and maintenance. But assumptions aren’t adequate and this explanation won’t pass an in-depth due diligence test. Details and regularity of checks should be covered in your SLAs, but it is up to the Credit Union to ensure these actually happen (unless the Credit Union has a Managed Service in place).
Additionally, it is important to remember how this data will be recovered in the event of an incident, rather than just how the data is backed up. In the face of a disaster, your Credit Union needs to get up and running again as quickly as possible - if data is sitting elsewhere in silos, unaccessible, it is no good to anyone. If your Credit Union was out of action for ten hours, how much would that cost you? Recovery times are just as important as backup times.
Here are more reasons why testing is paramount:
- Peace of mind: Annual testing provides a safety net to make sure that everything is working the way it should be and also provides evidence for bodies (e.g. CBI, auditors, consultants and your board members) of what tests have been completed and their results.
- Disruption minimised: Proactive monitoring and testing flags up any issues with your system instantly, allowing you to better pre-empt any issues that could affect your Credit Union and your members. It means that you know about potential problems before they become actual problems, and minimises the risk of disruption
- Dodge hefty non-compliance fines: Regular checks and testing, such as those covered in a Managed Service SLA with an IT provider, reduces the operational risks and financial risks of fines from regulatory bodies
- Minimise risk: When a Credit Union enlists a Managed Service, they are choosing a strategic IT partner to help them run the best version of their business. Having clear processes and step-by-step guides in place means you have a papertrail of processes that can be followed to minimise risk.
In bygone times, software solutions built expressly for contingency planning were expensive and beyond the reach of most small-to-medium enterprises, but advances in technology have now made it much more affordable to secure your Credit Union.
For financial services, where market needs are heightened, regulatory bodies are taking a keen interest in how institutions are dealing with members’ data. They have also expressed that they want to see more Credit Unions involved in the understanding of their BCP and disaster recovery plan. It is not enough just to have measures in place on paper, but these must be effective, resilient and workable - and this must be proven. It’s also imperative to exercise caution when outsourcing control of IT systems and services to third-party providers. The onus is on Credit Unions to check that their partners, or data going through a shared service, is covered by an additional DR/BCP.
If a regulatory body or auditor can’t be furnished with a record of checks, it may raise questions about your Credit Union’s preparedness for crises. If servers are irrevocably compromised or a plan is not in place to recover them, your Credit Union faces substantial reputational risk and loss of trust among members. Nowadays, there is no time for downtime, and data is a delicate matter.
With a Managed Service from your Credit Union’s IT provider shares risk and responsibility for handling data both in its raw form and on the systems and servers where it is replicated and stored.
Calendarised checks and testing provide an essential layer of security, ensuring that Credit Unions meet the strict due diligence criteria demanded by regulatory bodies and offer peace of mind that they would survive an event with minimal disruption to services.
Your Credit Union needs to be fully charged and prepared for any challenges that it may face in a highly volatile and changing environment. A complete Credit Union Managed Service offer something money can’t buy - peace of mind. Download our eBook to find out more.