Financial institutions are faced with the prospect of disasters, including cyberattacks, political upheaval, and natural calamities. Having an effective approach to disaster recovery (DR) can help financial institutions meet their regulatory obligations, better protect themselves from the impact of a significant negative event and shore up resiliency and continue operating in the aftermath of a disaster.
How resilient is your organization when the next disaster strikes?
Whether a bank, credit union, or an insurer, the prospect of natural or manmade disasters present new risks to resiliency. Regulators are imposing heavy financial penalties where lapses in sufficient planning occur. Beyond the financial impact of fines and lost revenue, reputation risk can create significant damage to how a financial institution is perceived in the marketplace.
As financial institutions embark on cloud transformation initiatives and modernize their infrastructure to boost employee productivity and reduce total cost of ownership, they should also look to prioritize DR and data availability in the light of increased disaster risk.
- Reputational trust: Any loss in trust for a financial institution can create customers attrition to competing financial institutions that customers see as more trustworthy. Ensuring disaster recovery strategies are properly implemented reduces the chance of any reputational trust issues.
- Regulatory fines: While fines are typically rare in regulatory disaster recovery related audits, they are still very possible and can impact financial institutions significantly. The Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) have levied fines against several large financial institutions for a mismanagement of records.
- Increased scrutiny for regulatory approvals of M&A activities: Mergers and acquisitions require federal approval before they can be legally completed. The Federal Deposit Insurance Company (FDIC) requires financial institutions to be technically sound before approvals will be granted for additional acquisitions. Ensuring that disaster recovery strategies and procedures are in place are critical to maintaining support from regulatory bodies such as the FDIC for new acquisition activity.
Regulators are applying greater scrutiny on business continuity planning
Financial institutions are presented with unique challenges when developing DR strategies. Most organizations have an enterprise continuity plan (ECP) that includes disaster recovery. Unlike in other industries, having an effective disaster recovery plan is a requirement within financial services.
- The Federal Financial Institutions Examinations Council (FFIEC) issued requirements in 2015 that were influenced by the effect that Hurricane Katrina had on banks.
- The Financial Industry Regulatory Authority (FINRA) issues a series of review notices through the COVID-19 pandemic pertaining to preparedness for business continuity and disaster recovery.
Being able to quickly recover from a disaster is critical for the finance industry because these institutions are core to the running of any economy and the businesses and individuals that participate in it.
Only 20% of organizations reported that their disaster recovery plans were well integrated into their overall business continuity plan.
An effective disaster recovery plan for a financial institution needs to ensure not only business continuity but also the protection of sensitive data. Cloud-based disaster recovery, combined with a fast and secure connected application network, is essential for and financial institutions DR preparedness and should focus on three primary elements: data protection, adhering to compliance, and maintaining business continuity.
Data protection
Data handling, transmission, and management are top priority for financial institution leaders in a world with increased regulatory requirements and penalties. To ensure data is protected after a natural disaster, an outage, or a breach, financial institutions need to leverage a third-party colocation facility or cloud environment for their primary or backup data center.
The geographical diversity provided by employing a secondary site should reduce the chance that an institution could be negatively affected by a single, localized issue. Being able to transmit that data across a financial institutions network is fundamental to avoid regulatory breaches. When data is transmitted to a disaster recovery site, it is susceptible to being lost or stolen. The disaster recovery strategy needs to include the use of a secure network.
Adhering to compliance
Financial institutions are heavily regulated to protect against fraud and customer data. compliance regulations such as the Payment Card Industry Data Security Standard (PCI DSS) require that transaction records be preserved for a sufficient period of time so audits can be performed.
The FDIC requires that all insured institutions must maintain a disaster recovery strategy. The FDIC regularly audits financial institutions to ensure that alternate processing sites and backup procedures are in place for critical financial related data.
Additionally, the Sarbanes-Oxley Act demands that data storage, access, and retrieval be strictly controlled and that transaction records be maintained. To maintain compliance, a financial institution should develop a disaster recovery strategy with a partner that is familiar with these regulations. The disaster recovery solution needs to provide transmission to a secure location to prevent data loss or compromise.
Maintaining business continuity
In this digital era, maintaining uptime is essential for business continuity. Outages that persist for minutes can cost organizations millions in lost transactions and unhappy customers. If a natural disaster, a major equipment failure, or an outage interrupts financial transactions, the institution’s reputation may experience irreparable damage. For example, a ransomware attack could shut down business for days while a bank tries to find a fix. Clients will lose confidence and trust in the bank and deposit their money elsewhere.
Questions to consider for your disaster recovery strategy
As financial services leaders opine on their disaster recovery strategy, there are two primary questions to consider: what their recovery time objective (RTO) and recovery point objective (RPO) goals are, and what their preferred deployment model might look like.
Organizations should define their requirements for disaster recovery, usually in terms of RTO and RPO. These examine how fast the system must recover, and how much data it can lose (if any). These requirements will often determine if disaster recovery can be cold, warm, or hot.
Deployment model options:
- iPaaS: Integration Platform as a Service/Managed Infrastructure
- Private cloud: Self-managed private tenancy cloud infrastructure
- Public cloud: Self-managed shared tenancy cloud infrastructure
- On-premise: Private data center infrastructure
How can MuleSoft support your disaster recovery planning
MuleSoft’s Anypoint Platform offers multiple approaches from a disaster recovery perspective to support your organization’s RTO/RPO objectives.
- Cold standby: Inactive Mule runtimes deployed in a backup datacenter or cloud region.
- Warm standby: Active Mule runtimes deployed in different cloud regions or data centers, but not processing any transactions until a failure occurs.
- Hot standby: Active Mule runtimes deployed in different cloud regions or data centers that are processing transactions.
Anypoint Platform can also help organizations achieve application level disaster recovery integration patterns to meet RPO/RTO objectives for mission critical applications.
Conclusion
Disasters – natural or manmade – are increasing; to shore up resiliency, financial institutions need to have a robust disaster recovery strategy to ensure business continuity.
With MuleSoft, your organization will avail of built in resiliency through the use of high available and scalable architectures. Customers can leverage our single pane of glass control plane to manage workloads, high availability settings, and scalability requirements to ensure mission critical integrations meet your disaster recovery strategy needs across multiple locations transparently.
MuleSoft provides a portable runtime that can be deployed across on-premise, private cloud, public cloud, and iPaaS. This flexibility allows for a comprehensive disaster recovery strategy that facilitates a dynamic, hybrid architecture to meet the needs of your disaster recovery strategy now and as you grow and enable new business capabilities in the future.
