16 August 2018
Large-scale exercise UNITAS in Frankfurt shows the importance of European collaboration in a crisis situation
Of course, every organisation aims to prevent a crisis from happening. But sometimes, an incident or crisis beyond our control, cannot be prevented. In that case organisations need to have a plan to continue business, or resume it, as soon as possible.
In order to improve business continuity and crisis communication at European level, the European Central Bank (ECB) organised a large-scale exercise at the end of June in Frankfurt, attended by the largest financial market infrastructures and their overseers from the euro area. Petra Steenbakker, senior policy officer at De Nederlandsche Bank (DNB), explains why business continuity management is so important, what the added value of European collaboration is and what conclusions she drew from the exercise in Frankfurt.
Crisis- and business continuity management
Hopefully, the financial sector will not find itself in a situation where business-critical processes no longer function. But in this unlikely event, it helps if the institutions are fully prepared. While the financial regulators have already set many requirements with respect to information security, business continuity and crisis management, another layer is introduced now that EU countries are transposing the European Network and Information Security (NIS) into national law. This is one of the reasons why the ECB initiated the exercise, which focused on crisis management, in Frankfurt.
A complete stand-still
The consequences can be substantial, according to Steenbakker. She says: “Imagine that payment transactions come to a complete stand-still because of cyber-attacks, acts of terrorism or a largescale natural disaster. People cannot use debit cards, withdraw cash, or use internet banking. This situation would quickly escalate and lead to social disruption and upheaval. If the system does not work for a longer period of time, it will cause substantial economic damage to individuals, businesses and society at large. In the event of a global outage, things can escalate rapidly. This is also the case if, for example, due to a cyber-attack data integrity can no longer be guaranteed.”
Payment processes operate across borders
To mitigate social disruption and economic damage as much as possible, it is essential for the financial sector to be able to continue or restore processes such as payments and portfolio investments as soon as possible. These processes are being operated across borders, which is why, according to Steenbakker, it is important for European financial market infrastructures and regulators to cooperate with and learn from each other. “If, for example, something happens in France, it could impact not just the French financial sector but have implications throughout the entire euro area.”
Frankfurt was the site of the second major European exercise. The first one took place at the end of 2015. The scenario discussed this time concerned data integrity issues. What would happen if information was corrupted by hackers accessing the organisation’s internal structural systems. Steenbakker: “Via facilitated discussions several questions were discussed, such as: How do you act at that moment? Is your staff prepared and trained? Who do you inform? How do you communicate about this to the outside world and at what level? How can you collaborate to tackle the problem as quickly as possible?”
Cultural differences play a big role
At the moment an evaluation report based on observations and feedback from participants is being produced. The report will end up on the desk of the ECB’s Governing Council. Steenbakker: “The participants were all very positive about the exercise. The importance of these kind of exercises is acknowledged. Everyone creates new insights and learns from each other, on a cultural and technical level. Different parties may be competitors, but it is very important to act as a united front in a crisis situation. In order to succeed in doing so, it definitely helps to know each other in person.”
Steenbakker saw that cultural differences play a big role. “Everyone approaches situations in a different way. Sometimes something is obvious or very common in one country, but not so much in another country.” According Steenbakker, this should be taken into account during handling and settlement in a crisis situation. She concludes: “After all, we all have the same goal: to be able to continue or resume the critical services we offer under all possible circumstances.”
Structures and distances are different
She gives an example of cultural differences. In the Netherlands it is common within the financial sector to communicate directly and openly with each other. This was also the case in January of this year when several banks were affected by a large-scale DDoS attack. This attack obstructed consumers from internet and mobile banking for a while. According to Steenbakker, institutions exchanged information directly with each other and with DNB, despite commercial motives. “Everyone was open and honest talking about problems and solutions. In many countries, communication is managed more cautiously, because cultural aspects, organisational structures and hierarchical distances are different from ours.”
“Perhaps next year or in 2020, but it will be of a different type and scale, with other institutions and new scenarios. Organising events such as this is a huge task, it is time-consuming and requires a lot of preparation from the institutions involved. It also requires a lot from the participating institutions, we realise that. But it is clear that these exercises contribute to an improvement of business continuity and resilience of all institutions and infrastructures involved and is obviously something the financial sector as a whole considers to be very useful.”