The kickoff group session on the topic of ‘Ensuring Operational Resilience: The Imperative of Business Continuity Planning’ was sobering to the audience of corporate and bank managers, who were asked to consider what it would mean from a risk and operational perspective to recover from a major disruption to their business functions. The most critical of all: “Do you have a business continuity plan (BCP) – and who have you shared it with among your employees, partners, insurance carriers, etc?”

Audience members were advised to follow up an assessment of potential risks with development of a BCP document that not only considered current factors and concerns but could and would also be updated regularly and shared with all affected areas of the organisation in planning, drills, and regular meetings to refine its central and ancillary elements and procedures.

Having a plan to recover is the first place to start. That’s the only sensible way to prepare the way to recovery for impacted companies, said presenters Janet Weber of Duquesne Light Company (formerly of US Steel) and Ben Zviti of Marsh Insurance. One crucial part of that recovery is knowing which people – and how many of them - among a company’s key employees are most important to be in place to initiate action steps and take the necessary measures to put the organisation back online or in operation.

Another pivotal element of any business continuity plan is its objectives, including all of the foregoing on people and systems and bringing them together – as in making sure that the employees who are part of the response to an incident are able to access the important systems and capabilities that will point the way to its successful recovery.

Treasurers have special responsibilities dealing with major systems and funds flows related to commitments not just to restore the company’s ability to operate, but also to keep its financial engines and payments – including employee payroll - and collections running despite whatever outages have compromised the ability to function normally.

Communication is the start along with being sure to share the details of the plan with not just senior management and the individually affected departments, but also the IT group and even major vendors. These are all part of optimal protection measures every company should take to gird itself against collapse during periods of inability to function normally.

Making certain the plans are tested and updated regularly is also part of the prescription for protection from operating and financial loss in such unexpected scenarios. Weber recommended that several copies of the BCP be created and shared in various forms (electronic and printed) in several locations.

“If you don’t test it, you don’t continuously update it, don’t even consider it an asset. It’s a liability. That’s your plan,” Weber said and continued: “maintenance, routine maintenance” makes sure the plan is good. Companies should incorporate the feedback, make the changes as appropriate to the plan ongoing, she asserted. “Because again, it’s not worth the paper it’s written on, or the system in which it’s stored if it’s not accurate.”

After an audience member from a large public entity related how she and her team were hit by an August ransomware attack, the audience was reminded of a major system outage – the most expensive ever in history at an estimated $5.4 billion cost to those affected. That cascading failure of Windows-based systems in July of this year was caused by the misconfigured Crowdstrike software patch that was uploaded to computers across the world and ended up shutting down the software powering thousands of organisations even after it was recalled.

As for the ransomware attack, which was later found to be linked to a similar attack at the British Library in November 2023, the treasury leader from the organisation impacted by the August ‘Rhysida’ ransomware attack shared the second part of her story. That was the fact that she and her staff had prepared and drilled, many times, for such an incident. They had designed a detailed communications and systems outage contingency plan. That effort ended up being incredibly important, and ultimately extremely valuable in cost and time savings to their response and eventual recovery, despite much of the company’s principal software and systems being rendered useless for more than a week.

Zviti’s portion of the presentation centred on the importance of companies arming themselves with insurance coverage against cybercrimes as well as outages, explaining that the many types of cybersecurity and business interruption insurance available in the marketplace usually demonstrate their worth when incidents occur. But only if companies demonstrate they’re prepared first.

“Unlike many other types of insurance policies,” the attorney from Marsh explained, with a humorous bent, “where lawyers get hired to debate whether direct means direct or indirect, cyber insurance does actually pay for the most part.”

The next part of Zviti’s message was especially telling, emphasising just how critical measures like those Weber and the audience member had shared were to qualify for such coverage. “Interestingly, today, you cannot buy cyber insurance unless you do all the things that Janet said. You have to [follow] all those best practices. The cyber insurance underwriters ask that of your information security team, of your business continuity team, and if you don’t answer those questions, and if you don’t show those best practices, you might not get coverage, or you might not get good coverage. So, everything that Janet said, please do!”