OM-5 OM-5 Business Continuity Planning
OM-5.1 OM-5.1 Introduction
Why do Financial Institutions Need Business Continuity Plans?
OM-5.1.1
All businesses may experience serious disruptions to their business operations. These disruptions may be caused by external events such as flooding, power failure or terrorism, or by internal factors such as human error or a serious computer breakdown. The probability of some events may be small, but the potential consequences may be massive, whereas other events may be more frequent and with shorter time horizons. The Joint Forum (the Basel Committee on Banking Supervision (BCBS), the International Organisation of Securities Commissions (IOSCO) and the International Association of Insurance Supervisors (IAIS)) have given additional background and context to the need for business continuity in its paper of August 2006 titled "High Level Principles for Business Continuity" (www.bis.org).
October 07OM-5.1.2
According to the Joint Forum, in its paper, Business Continuity is "a whole of business approach for insuring that specified operations can be maintained or recovered in a timely fashion in the event of disruption. Its purpose is to minimize the operational, financial, legal, reputational, and other material consequences arising from a disruption". The objectives of a good business continuity plan ("BCP") are:
(a) To minimise financial loss to the licensee;(b) To continue to serve customers and counterparties in the financial markets; and(c) To mitigate the negative effects that disruptions can have on a licensee's reputation, operations, liquidity, credit quality, its market position, and its ability to remain in compliance with applicable laws and regulations.October 07OM-5.1.3
Banks play a critical role in an economy, in providing payment services, as holders of people's savings, and as providers of finance. Hence, a BCP is especially critical for banks. It helps ensure that their business operations are resilient and the effects of disruptions in service are minimized and thus helps maintain confidence in the banking system.
October 07Scope and Key Elements of a BCP
OM-5.1.4
The requirements of this Chapter apply to all retail and wholesale banks (whether locally incorporated or a branch).
October 07OM-5.1.5
Branch Licensees of foreign banks may apply alternative arrangements to those specified in this module, where they are subject to comprehensive BCP arrangements implemented by their head office or other member of their group, provided that:
(a) They have notified the CBB in writing what alternative arrangements will apply;(b) They have satisfied the CBB that these alternative arrangements are equivalent to the measures contained in this chapter, or are otherwise suitable; and(c) The CBB has agreed in writing to these alternative arrangements being used.October 07Implementation
OM-5.1.6
The requirements in this Chapter must be complied with in full by 1 October 2007. Failure to comply with these requirements after that will trigger a supervisory response, which may include formal enforcement measures, as set out in Module EN (Enforcement).
October 07OM-5.1.7
For contingency planning relating to outsourcing activities, see Section OM-3.6.
October 07OM-5.2 OM-5.2 General Requirements
OM-5.2.1
To ensure an ability to operate on an ongoing basis and limit losses in the event of severe business disruption all
conventional bank licensees must maintain a business continuity plan (BCP) appropriate to the scale and complexity of their operations. A BCP must address the following key areas:(a) Data back up and recovery (hard copy and electronic);(b) Continuation of all critical systems, activities, and counterparty impact;(c) Financial and operational assessments;(d) Alternate communication arrangements between the licensee and its customers and its employees;(e) Alternate physical location of employees;(f) Communications with and reporting to the CBB and any other relevant regulators; and(g) Ensuring customers' prompt access to their funds in the event of a disruption.Amended: October 2012
October 07OM-5.2.2
Effective BCPs must be comprehensive, limited not just to disruption of business premises and information technology facilities, but covering all other critical areas, which affect the continuity of critical business operations or services (e.g. liquidity, human resources and others).
October 07OM-5.2.3
Licensees must notify the CBB promptly if their BCP is activated. They must also provide regular progress reports – as agreed with the CBB – until the BCP is deactivated.
October 07OM-5.2.4
The CBB recognises that BCPs involve costs, and that it may not be cost effective to have a fully developed and implemented BCP for all conceivable worst-case scenarios. However, the CBB expects licensees to plan for how they may cope with the complete destruction of buildings and surrounding infrastructure in which their key offices, installations, counterparties or service providers are located. The loss of key personnel, and a situation where back-up facilities might need to be used for an extended period of time are important factors in effective BCPs.
October 07OM-5.2.5
Licensees may find it useful to consider two-tier plans: one to deal with near-term problems; this should be fully developed and able to be put into immediate effect. The other, which might be in paper form; should deal with a longer-term scenario (e.g. how to accommodate processes that might not be critical immediately but would become so over time).
October 07OM-5.3 OM-5.3 Board and Senior Management Responsibilities
Establishment of a Policy, Processes & Responsibilities
OM-5.3.1
A Bank's Board of Directors and Senior Management are collectively responsible for a bank's business continuity. The Board must endorse the policies, standards and processes for a licensee's BCP, as established by its senior management. The Board and senior management must delegate adequate resources to develop the BCP, and for its maintenance and periodic testing.
October 07OM-5.3.2
Licensees must establish a Crisis Management Team (CMT) to develop, maintain and test their BCP, as well as to respond to and manage the various stages of a crisis. The CMT must comprise members of
senior management and heads of major support functions (e.g. building facilities, IT, corporate communications and human resources).Amended: July 2011
October 07OM-5.3.3
Licensees must establish (and document as part of the BCP) individuals' responsibilities in helping prepare for and manage a crisis; and the process by which a disaster is declared and the BCP initiated (and later terminated).
October 07Monitoring and Reporting
OM-5.3.4
The CMT must submit regular reports to the Board and senior management on the results of the testing of the BCP (refer to section OM-5.9). Major changes must be developed by CMT, reported to
senior management , and endorsed by the Board.Amended: July 2011
October 07OM-5.3.5
The Chief Executive of a licensee must sign a formal annual statement submitted to the Board on whether the recovery strategies adopted are still valid and whether the documented BCP is properly tested and maintained. The annual statement must be included in the BCP documentation and will be reviewed as part of the CBB's on-site examinations.
October 07OM-5.4 OM-5.4 Developing a Business Continuity Plan
Impact Analysis
OM-5.4.1
Licensees' BCPs must be based on (i) a business impact analysis (ii) an operational impact analysis, and (iii) a financial impact analysis. These analyses must be comprehensive, including all business functions and departments, not just IT or data processing.
October 07OM-5.4.2
The key objective of a Business Impact Analysis is to identify the different kinds of risk to business continuity and to quantify the operational and financial impact of disruptions on a licensee's ability to conduct its critical business processes.
October 07OM-5.4.3
A typical business impact analysis is normally comprised of two stages. The first is to identify and prioritise the critical business processes that must be continued in the event of a disaster. The first stage should take account of the impact on customers and reputation, the legal implications and the financial cost associated with downtime. The second stage is a time-frame assessment. This aims to determine how quickly the licensee needs to resume critical business processes identified in stage one.
October 07OM-5.4.4
Operational impact analysis focuses on the firm's ability to maintain communications with customers and to retrieve key activity records. It identifies the organizational implications associated with the loss of access, loss of utility, or loss of a facility. It highlights which functions may be interrupted by an outage, and the consequences to the public and customer of such interruptions.
October 07OM-5.4.5
A Financial Impact Analysis identifies the financial losses that (both immediate and also consequent to the event) arise out of an operational disruption.
October 07Risk Assessment
OM-5.4.6
In developing a BCP, licensees must consider realistic threat scenarios that may (potentially) cause disruptions to their business processes.
October 07OM-5.4.7
Licensees should analyse a threat by focusing on its impact on the business processes, rather than on the source of a threat. Certain scenarios can be viewed purely in terms of business disruption in specific work areas, systems or facilities. The scenarios should be sufficiently comprehensive to avoid the BCPs becoming too basic and thereby avoiding steps that could improve the resiliency of the licensee to disruptions.
October 07OM-5.4.8
Business continuity plans must take into account different types of likely or plausible scenarios to which the bank may be vulnerable. In particular, the following specific scenarios must at a minimum, be considered in the BCP:
• Utilities are not available (power, telecommunications);• Critical buildings are not available or specific facilities are not accessible;• Software and live data are not available or are corrupted;• Vendor assistance or (outsourced) service providers are not available;• Critical documents or records are not available;• Critical personnel are not available; and• Significant equipment malfunctions (hardware or telecom).Amended: October 2012
October 07OM-5.4.9
Licensees must distinguish between threats with a higher probability of occurrence and a lower impact to the business process (e.g. brief power interruptions) to those with a lower probability and higher impact (e.g. a terrorist bomb).
October 07OM-5.4.10
As a starting point, licensees must perform a "gap analysis". This gap analysis is a methodical comparison of what types of plans the licensee requires in order to maintain, resume or recover critical business operations or services in the event of a disruption, versus what the existing BCP provides. Management and the Board can address the areas that need development in the BCP, using the gap analysis.
Amended: July 2011
October 07OM-5.5 OM-5.5 BCP – Recovery Levels & Objectives
OM-5.5.1
The BCP must document strategies and procedures to maintain, resume and recover critical business operations or services. The plan must differentiate between critical and non-critical functions. The BCP must clearly describe the types of events that would lead up to the formal declaration of a business disruption and the process for activating the BCP.
October 07OM-5.5.2
The BCP must clearly identify alternate sites for different operations, the total number of recovery personnel, workspace requirements, and applications and technology requirements. Office facilities and records requirements must also be identified.
October 07OM-5.5.3
Licensees should take note that they might need to cater for processing volumes that exceed those under normal circumstances. The interdependency among critical services is another major consideration in determining the recovery strategies and priority. For example, the resumption of the front office operations is highly dependent on the recovery of the middle office and back office support functions.
October 07OM-5.5.4
Individual critical business and support functions must establish the minimum BCP recovery objectives for recovering essential business operations and supporting systems to a specified level of service ("recovery level") within a defined period following a disruption ("recovery time"). These recovery levels and recovery times must be approved by the senior management prior to proceeding to the development of the BCP.
October 07List of Contacts and Responsibilities
OM-5.5.5
The BCP must contain a list of all key personnel. The list must include personal contact information on each key employee such as their home address, home telephone number, and cell phone or pager number so they may be contacted in case of a disaster or other emergency.
October 07OM-5.5.6
The BCP must contain all the necessary process steps to complete each critical business operation or service. Each process must be explained in sufficient detail to allow another employee to perform the job in case of a disaster.
Amended: July 2011
October 07Alternate Sites for Business and Technology Recovery
OM-5.5.7
Most business continuity efforts are dependent on the availability of an alternate site (i.e. recovery site) for successful execution. The alternate site may be either an external site available through an agreement with a commercial vendor or a site within the Licensee's real estate portfolio. A useable, functional alternate site is an integral component of BCP.
October 07OM-5.5.8
Licensees must examine the extent to which key business functions are concentrated in the same or adjacent locations and the proximity of the alternate sites to primary sites. Alternate sites must be sufficiently remote from, and do not depend upon the same physical infrastructure components as a licensee's primary business location. This minimises the risk of both sites being affected by the same disaster (e.g. they must be on separate or alternative power grids and telecommunication circuits).
Amended: July 2011
October 07OM-5.5.9
Licensees' alternate sites must be readily accessible and available for occupancy (i.e. 24 hours a day, 7 days a week) within the time requirement specified in their BCP. Should the BCP so require, the alternate sites must have pre-installed workstations, power, telephones and ventilation, and sufficient space. Appropriate physical access controls such as access control systems and security guards must be implemented in accordance with Licensee's security policy.
Amended: July 2011
October 07OM-5.5.10
Other than the establishment of alternate sites, licensees should also pay particular attention to the transportation logistics for relocation of operations to alternate sites. Consideration should be given to the impact a disaster may have on the transportation system (e.g. closures of roads). Some staff may have difficulty in commuting from their homes to the alternate sites. Other logistics, such as how to re-route internal and external mail to alternate sites should also be considered. Moreover, pre-arrangement with telecommunication companies for automated telephone call diversion from the primary work locations to the alternate sites should be considered.
October 07OM-5.5.11
Alternate sites for technology recovery (i.e. back-up data centres), which may be separate from the primary business site, should have sufficient technical equipment (e.g. workstations, servers, printers, etc.) of appropriate model, size and capacity to meet recovery requirements as specified by licensees' BCPs. The sites should also have adequate telecommunication (including bandwidth) facilities and pre-installed network connections as specified by their BCP to handle the expected voice and data traffic volume.
October 07OM-5.5.12
Licensees should avoid placing excessive reliance on external vendors in providing BCP support, particularly where a number of institutions are using the services of the same vendor (e.g. to provide back-up facilities or additional hardware). Licensees should satisfy themselves that such vendors do actually have the capacity to provide the services when needed and the contractual responsibilities of the vendors should be clearly specified. Licensees should recognise that outsourcing a business operation does not transfer the associated business continuity management responsibilities.
October 07OM-5.5.13
The contractual terms should include the lead-time and capacity that vendors are committed to deliver in terms of back-up facilities, technical support or hardware. The vendor should be able to demonstrate its own recoverability including the specification of another recovery site in the event that the contracted site becomes unavailable.
October 07OM-5.5.14
Certain licensees may rely on a reciprocal recovery arrangement with other institutions to provide recovery capability (e.g. Cheque sorting and cash handling). Licensees should, however, note that such arrangements are often not appropriate for prolonged disruptions or an extended period of time. This arrangement could also make it difficult for Licensees to adequately test their BCP. Any reciprocal recovery agreement should therefore be subject to proper risk assessment and documentation by licensees, and formal approval by the Board.
October 07OM-5.6 OM-5.6 Detailed Procedures for the BCP
OM-5.6.1
Once the recovery levels and recovery objectives for individual business lines and support functions are determined, the development of the detailed BCP should commence. The objective of the detailed BCP is to provide detailed guidance and procedures in a crisis situation, of how to recover critical business operations or services identified in the Business Impact Analysis stage, and to ultimately return to operations as usual.
October 07Crisis Management Process
OM-5.6.2
A BCP must set out a Crisis Management Plan (CMP) that serves as a documented guidance to assist the CMT in dealing with a crisis situation to avoid spill over effects to the business as a whole. The overall CMP, at a minimum, must contain the following:
(a) A process for ensuring early detection of an emergency or a disaster situation and prompt notification to the CMT about the incident;(b) A process for the CMT to assess the overall impact of the crisis situation on the licensee and to make quick decisions on the appropriate responses for action (i.e. staff safety, incident containment and specific crisis management procedures);(c) Arrangements for safe evacuation from business locations (e.g. directing staff to a pre-arranged emergency assembly area, taking attendance of all employees and visitors at the time and tracking missing people through different means immediately after the disaster);(d) Clear criteria for activation of the BCP and/or alternate sites;(e) A process for gathering updated status information for the CMT (e.g. ensuring that regular conference calls are held among key staff from relevant business and support functions to report on the status of the recovery process);(f) A process for timely internal and external communications; and(g) A process for overseeing the recovery and restoration efforts of the affected facilities and the business services.Amended: July 2011
October 07OM-5.6.3
If CMT members need to be evacuated from their primary business locations, the licensee should set up a command centre to provide the necessary workspace and facilities for the CMT. Command centres should be sufficiently distanced from the licensee's primary business locations to avoid being affected by the same disaster.
October 07Business Resumption
OM-5.6.4
Each relevant business and support function must assign at least one member to be a part of the CMT to carry out the business resumption process for the relevant business and supported function. Appropriate recovery personnel with the required knowledge and skills must be assigned to the team.
Amended: July 2011
October 07OM-5.6.5
Generally, the business resumption process consists of three major phases:
(a) The mobilisation phase – This phase aims to notify the recovery teams (e.g. via a call-out tree) and to secure the resources (e.g. recovery services provided by vendors) required to resume business services.(b) The alternate processing phase – This phase emphasizes the resumption of the business and service delivery at the alternate site and/or in a different way than the normal process. This may entail record reconstruction and verification, establishment of new controls, alternate manual processes, and different ways of dealing with customers and counterparties; and(c) The full recovery phase – This phase refers to the process for moving back to a permanent site after a disaster. This phase may be as difficult and critical to the business as the process to activate the BCP.October 07OM-5.6.6
For the first two phases above, clear responsibilities should be established and activities prioritised. A recovery tasks checklist should be developed and included in the BCP.
October 07Technology Recovery
OM-5.6.7
Business resumption very often relies on the recovery of technology resources that include applications, hardware equipment and network infrastructure as well as electronic records. The technology requirements that are needed during recovery for individual business and support functions should be specified when the recovery strategies for the functions are determined.
October 07OM-5.6.8
Licensees should pay attention to the resilience of critical technology equipment and facilities such as the uninterruptible power supply (UPS) and the computer cooling systems. Such equipment and facilities should be subject to continuous monitoring and periodic maintenance and testing.
October 07OM-5.6.9
Appropriate personnel must be assigned with the responsibility for technology recovery. Alternative personnel need to be identified as back up for key technology recovery personnel in the case of the latter unavailability to perform the recovery process.
October 07Disaster Recovery Models
OM-5.6.10
There are various disaster recovery models that can be adopted by licensees to handle prolonged disruptions. The traditional model is an "active/back-up" model, which is widely used by many organizations. This traditional model is based on an "active" operating site with a corresponding alternate site (back-up site), both for data processing and for business operations.
October 07OM-5.6.11
A split operations model, which is increasingly being used by major institutions, operates with two or more widely separated active sites for the same critical operations, providing inherent back up for each other (e.g. branches). Each site has the capacity to take up some or all of the work of another site for an extended period of time. This strategy can provide nearly immediate resumption capacity and is normally able to handle the issue of prolonged disruptions.
October 07OM-5.6.12
The split operations model may incur higher operating costs, in terms of maintaining excess capacity at each site and added operating complexity. It may also be difficult to maintain appropriately trained staff and the split operations model can pose technological issues at multiple sites.
October 07OM-5.6.13
The question of what disaster recovery model to adopt is for individual licensees' judgment based on the risk assessment of their business environment and the characteristics of their own operations.
October 07OM-5.7 OM-5.7 Vital Records Management
OM-5.7.1
Each BCP must clearly identify information deemed vital for the recovery of critical business and support functions in the event of a disaster as well as the relevant protection measures to be taken for protecting vital information. Licensees must refer to Chapter OM-7 when identifying vital information for business continuity. Vital information includes information stored on both electronic and non-electronic media.
Amended: July 2011
October 07OM-5.7.2
Copies of vital records must be stored off-site as soon as possible after creation. Back-up vital records must be readily accessible for emergency retrieval. Access to back-up vital records must be adequately controlled to ensure that they are reliable for business resumption purposes. For certain critical business operations or services, licensees must consider the need for instantaneous data back up to ensure prompt system and data recovery. There must be clear procedures indicating how and in what priority vital records are to be retrieved or recreated in the event that they are lost, damaged or destroyed.
Amended: July 2011
October 07OM-5.8 OM-5.8 Other Policies Standards, and Processes
Employee Awareness and Training Plan
OM-5.8.1
Licensees must implement an awareness plan and business continuity training for employees to ensure that all employees are continually aware of their responsibilities and know how to remain in contact and what to do in the event of a crisis.
October 07OM-5.8.2
Key employees should be involved in the business continuity development process, as well as periodic training exercises. Cross training should be utilised to anticipate restoring operations in the absence of key employees. Employee training should be regularly scheduled and updated to address changes to the BCP.
October 07Public Relations & Communication Planning
OM-5.8.3
Licensees must develop an awareness program and formulate a formal strategy for communication with key external parties (e.g. CBB and other regulators, investors, customers, counterparties, business partners, service providers, the media and other stakeholders) and provide for the type of information to be communicated. The strategy needs to set out all the parties the licensee must communicate to in the event of a disaster. This will ensure that consistent and up-to-date messages are conveyed to the relevant parties. During a disaster, ongoing and clear communication is likely to assist in maintaining the confidence of customers and counterparties as well as the public in general.
Amended: July 2011
October 07OM-5.8.4
The BCP must clearly indicate who may speak to the media and other key external parties, and have pre-arrangements for redirecting external communications to designated staff during a disaster. Important contact numbers and e-mail addresses of key external parties must be kept in a readily accessible manner (e.g. in wallet cards or licensees' intranet).
Amended: July 2011
October 07OM-5.8.5
Licensees may find it helpful to prepare draft press releases as part of their BCP. This will save the CMT time in determining the main messages to convey in a chaotic situation. Important conversations with external parties should be properly logged for future reference.
October 07OM-5.8.6
As regards internal communication, the BCP should set out how the status of recovery can be promptly and consistently communicated to all staff, parent bank, head office, branches and subsidiaries (where appropriate). This may entail the use of various communication channels (e.g. broadcasting of messages to mobile phones of staff, Licensees websites, e-mails, intranet and instant messaging).
October 07Insurance and other Risk Mitigating Measures
OM-5.8.7
Licensees must have proper insurance coverage to reduce the financial losses that they may face during a disaster. Licensees must regularly review the adequacy and coverage of their insurance policies in reducing any foreseeable risks caused by disasters (e.g. loss of offices, critical IT facilities and equipment).
October 07Government and Community
OM-5.8.8
Licensees may need to coordinate with community and government officials and the media to ensure the successful implementation of the BCP. This establishes proper protocol in case a city- wide or region- wide event impacts the licensee's operations. During the recovery phase, facilities access, power, and telecommunications systems should be coordinated with various entities to ensure timely resumption of operations. Facilities access should be coordinated with the police and fire department and, depending on the nature and extent of the disaster.
October 07Disclosure Requirements
OM-5.8.9
Licensees must disclose how their BCP addresses the possibility of a future significant business disruption and how the licensee will respond to events of varying scope. Licensees must also state whether they plan to continue business during disruptions and the planned recovery time. The licensees might make these disclosures on their websites, or through mailing to key external parties upon request. In all cases, BCP disclosures must be reviewed and updated to address changes to the BCP.
Amended: July 2011
October 07OM-5.9 OM-5.9 Maintenance, Testing and Review
Testing & Rehearsal
OM-5.9.1
A BCP is not complete if it has not been subject to proper testing. Testing is needed to ensure that the BCP is operable. Testing verifies the awareness of staff and the preparedness of differing departments/functions of the bank.
October 07OM-5.9.2
Licensees must test their BCPs at least annually. Senior management must participate in the annual testing, and demonstrate their awareness of what they are required to do in the event of the BCP being involved. Also, the recovery and alternate personnel must participate in testing rehearsals to familiarise themselves with their responsibilities and the back-up facilities and remote sites (where applicable).
October 07OM-5.9.3
All of the BCP's related risks and assumptions must be reviewed for relevancy and appropriateness as part of the annual planning of testing. The scope of testing must be comprehensive enough to cover the major components of the BCP as well as coordination and interfaces among important parties. A testing of particular components of the BCP or a fully integrated testing must be decided or depending on the situation. The following points must be included in the annual testing:
(a) Staff evacuation and communication arrangements (e.g. call-out trees) must be validated;(b) The alternate sites for business and technology recovery must be activated;(c) Important recovery services provided by vendors or counterparties must form part of the testing scope;(d) Licensees must consider testing the linkage of their back up IT systems with the primary and back up systems of service providers;(e) If back up facilities are shared with other parties (e.g. subsidiaries of the licensee), the licensee needs to verify whether all parties can be accommodated concurrently; and(f) Recovery of vital records must be performed as part of the testing.Amended: July 2011
October 07OM-5.9.4
Formal testing reviews of the BCP must be performed to assess the thoroughness and effectiveness of the testing. Specifically, a post-mortem review report must be prepared at the completion of the testing stage for formal sign-off by Licensees' senior management. If the testing results indicate weaknesses or gaps in the BCP, the plan and recovery strategies must be updated to remedy the situation.
Amended: July 2011
October 07Periodic Maintenance and Updating of a BCP
OM-5.9.5
Licensees must have formal procedures to keep their BCP updated with respect to any changes to their business. In the event of a plan having been activated, a review process must be carried out once normal operations are restored to identify areas for improvement. If vendors are needed to provide vital recovery services, there must be formal processes for regular (say, annual) reviews of the appropriateness of the relevant service level agreements.
Amended: July 2011
October 07OM-5.9.6
Individual business and support functions, with the assistance of the CMT, must review their business impact analysis and recovery strategy on an annual basis. This aims to confirm the validity of, or whether updates are needed to, the BCP requirements (including the technical specifications of equipment of the alternate sites) for the changing business and operating environment.
Amended: July 2011
October 07OM-5.9.7
The contact information for key staff, counterparties, customers and service providers must be updated as soon as possible when notification of changes is received.
Amended: July 2011
October 07OM-5.9.8
Significant internal changes (e.g. merger or acquisitions, business re-organisation or departure of key personnel) must be reflected in the plan immediately and reported to senior management.
October 07OM-5.9.9
Copies of the BCP document must be stored at locations separate from the primary site. A summary of key steps to be taken in an emergency situation must be made available to
senior management and other key personnel.Amended: July 2011
October 07Audit and Independent Review
OM-5.9.10
The internal audit function of a licensee or its external auditors must conduct periodic reviews of the BCP to determine whether the plan remains realistic and relevant, and whether it adheres to the policies and standards of the licensee. This review must include assessing the adequacy of business process identification, threat scenario development, business impact analysis and risk assessments, the written plan, testing scenarios and schedules, and communication of test results and recommendations to the Board.
Amended: July 2011
October 07OM-5.9.11
Significant findings must be brought to the attention of the Board and Senior Management within three months of the completion of the review. Furthermore, Senior Management and the Board must ensure that any gaps or shortcomings reported to them are addressed in an appropriate and timely manner.
Amended: July 2011
October 07OM-5.10 OM-5.10 Cyber Security Risk Management
OM-5.10.1
To prepare for the eventuality of cyber attacks, licensees must have a cyber attack response mechanism in place. The BCP of the licensee must also be properly enhanced to account for all CBB requirements and must be regularly tested to assure that the licensee is capable of dealing with cyber attacks.
Added: October 2016
