31 July 2017
Countries should work together to improve business continuity management at European level
Business continuity management is one of the essential measures against cybercrime, because it increases the quality of internal processes and by doing so it reduces the risk of and impact from cyberattacks. How is this business continuity managed on a European scale? Leon Strous, Senior policy advisor at De Nederlandsche Bank, explains why business continuity transcends national policy and why every country has to collaborate.
The European Union has now taken a step forward in strengthening the defensive line against cybercrime with a new directive. This European Network and Information Security (NIS) directive imposes requirements on the security of processes and systems or infrastructures. The directive should be implemented in national law by mid 2018 and applies to so-called providers of essential services. With this new directive, the companies in the EU are indirectly obliged to take steps to improve their business continuity processes: better internal processes reduce the impact of incidents due to cybercrime.
Availability and integrity
“At first glance, it seems that the measures focus on the countering of cyberattacks and may be more in the field of information security, but business continuity is also very important here,” said Strous. “Cyberattacks can affect availability and the integrity of data.” In addition to availability, integrity is an increasingly important issue of business continuity management. Strous: “How to ensure that a copy of data has not been contaminated or how far do you have to go back in time to make sure that the data of the backup is correct? And what to do with transactions in the meantime?”
All of these questions are important for companies to be compliant with the new directive, but answering those questions can be complicated. “Collaboration between various disciplines, between institutions and between government and private parties is needed to maximize the continuity of processes and resilience against disturbances,” according to Strous. He thinks the best way to remove the barriers between all stakeholders is to organize joint exercises. “This can be seen on international level as well. DNB, for instance, contributes to organizing European exercises, such as a major exercise on TARGET2 that took place at the end of 2015 with all of the countries in the euro area.”
Variations between countries
Organizing exercises in one company can sometimes be a hurdle, when agendas have to be aligned. Imagine the challenge to organize an exercise between countries, with different languages, processes and cultures. “We work together really well in Europe, but variations between countries can’t be denied. For instance, in some countries it is easier to ask the highest management to participate in an exercise than in other countries” explained Strous. In addition, the difference in size of the sector (such as the number of banks and complexity of infrastructures) plays a role in the way countries collaborate.
Larger exercises can therefore be interchanged with smaller ones, on a much smaller scale. Several countries have advanced already in the cooperation between financial institutes and authorities, also cross border, such as Belgium, England, France and the Netherlands thanks to the work of the national banks. Those countries share experiences with and learn from each other. Collaboration between those countries gradually increases, which means for instance exercise calendars are being aligned wherever possible and joint exercises being prepared step-by-step.
Strous is convinced that those joint exercises are the most valuable to improve business continuity also on European level. Although the new directive is all about policy from above, it has a bottom-up effect on a human level. “Through those joint exercises you come across really practical issues that can be caused by cultural differences. Once you are aware of those differences, they can be managed in the right way. People learn faster in practice than by policy.”
Leon Strous, Senior policy advisor at De Nederlandsche Bank
Collaboration between various disciplines, between institutions and between government and private parties is needed to maximize the continuity of processes and resilience against disturbances