NZ Incident Response Bulletin - August 2024

The August edition of the NZ Incident Response Bulletin was published today. The bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Each Bulletin also includes a section of our own content, based on a trending theme, this months being?“The Importance of Business Continuity and Disaster Recovery Planning”.

The Importance of Business Continuity and Disaster Recovery Planning

As evidenced by the recent widespread CrowdStrike issue, organisations face a myriad of risks that can disrupt operations. From natural disasters to cyberattacks, these unforeseen events can have severe consequences on a business’s continuity and financial stability. This is where Business Continuity Plans (BCPs) and Disaster Recovery Plans (DRPs) become indispensable. These plans are not just essential for, but also for maintaining operations during and after a disaster.

Understanding BCPs, DRPs and IRPs

While BCPs, DRPs and IRPs are often used interchangeably, they serve different purposes as follows:

• Business Continuity Plans (BCPs): These plans are proactive, focusing on maintaining normal operations before, during, and immediately after a disaster. They ensure that business functions continue with minimal interruption, thus mitigating financial and operational impacts.
• Disaster Recovery Plans (DRPs): In contrast, DRPs are reactive, detailing the steps necessary to respond to an incident and restore operations smoothly. They concentrate on IT systems and data, crucial for protecting vital information and reducing downtime during crises.
• Incident Response Plans (IRPs): An IRP is designed to manage and mitigate the effects of security incidents. It outlines procedures for detecting, responding to, and recovering from security breaches, focusing on minimising damage and restoring normal operations.

While BCPs, DRPs, and IRPs are all critical, their distinct focus areas necessitate separate development. While we usually spend a lot of time discussing IR Planning, the focus below will be on BCPs and DRPs.

The Benefits of Effective Business Continuity and Disaster Recovery Planning

Effective Business Continuity and Disaster Recovery planning may enable:

• Shortened Downtime: Effective BCPs and DRPs help organisations minimise downtime and quickly restore operations, reducing the financial impact of disruptions.
• Lower Financial Risk: Strong BCPs can significantly reduce disruption costs by maintaining customer confidence and ensuring quick recovery.
• Protection Against Reputational Damage: A well-executed BCP and DRP protect an organisation’s reputation by demonstrating preparedness and the ability to handle crises efficiently.
• Reduced Penalties: Robust BCPs ensure compliance with regulatory requirements, mitigating the risk of substantial penalties due to data breaches or other incidents.

The Regulatory Perspective

Regulative requirements, such as those outlined in the "Regulatory Impact Statement: Business Continuity Condition for FMC Licences," now underscore the importance of BCPs and DRPs. Effective July 1, 2024, this new standard condition mandates certain market services licence holders under the Financial Markets Conduct Act 2013 (FMC Act) to maintain robust business continuity plans and critical technology systems.

Objectives of the Regulation include:

• Ensuring licence holders maintain business continuity plans and operational resilience of their critical technology systems.
• Providing timely information to the Financial Markets Authority (FMA) about incidents impacting these systems.

This regulation highlights the necessity for organisations to have solid plans to not only safeguard their operations, but also to comply with legal and regulatory standards, thus avoiding penalties and maintaining their reputation.

Building Effective BCPs and DRPs

Before diving into the specifics of creating effective BCPs and DRPs, it's essential to understand two key concepts: Recovery Time Objective (RTO) and Recovery Point Objective (RPO).

• Recovery Time Objective (RTO): This refers to the maximum acceptable amount of time it takes to restore business processes after an unplanned incident. Establishing a reasonable RTO is a critical first step in both BCP and DRP development. The goal is to minimise downtime and ensure that operations can resume as quickly as possible.
• Recovery Point Objective (RPO): RPO is the maximum acceptable amount of data loss measured in time. It reflects the point in time to which data must be restored to resume operations after a disaster. Businesses often have different RPOs depending on their data protection strategies. Some enterprises continuously copy data to a remote data centre to ensure no data loss, while others may tolerate a few minutes or hours of data loss, knowing they can recover from a backup system.

Once you understand your RTO and RPO the following high-level steps are actioned to create BCP and DR plans:

1.???????? Conduct a Business Impact Analysis (BIA): Identify critical business functions and processes and assess the potential impact of various types of disruptions. This analysis helps prioritise which areas need immediate attention and resources.

2.??????? Identify Risks and Threats: Determine the potential risks and threats that could impact your business. This could include natural disasters, cyber-attacks, equipment failures, or other emergencies. Understanding these risks helps in developing targeted strategies for both continuity and recovery.

3.??????? Inventory Your Assets: Conduct regular inventories of all IT assets, categorising them as critical, important, or unimportant to prioritise protection and recovery efforts.

4.??????? Develop Recovery Strategies: Based on the BIA and risk assessment, create strategies to maintain and restore critical functions. For BCPs, this might involve setting up alternate work sites or remote working capabilities. For DRPs, it could include specific procedures for data recovery, system repairs, and communication plans.

5.??????? Establish Roles and Responsibilities: Clearly define who is responsible for various tasks during a disaster. This includes identifying key personnel, their roles, and the chain of command. Having a clear structure ensures that everyone knows their duties and can act quickly.

6.??????? Create Communication Plans: Effective communication is vital during a disaster. Develop plans for internal and external communications to ensure that employees, stakeholders, and customers are informed and updated regularly.

7.??????? Implement Training and Testing: Regular training sessions and drills help ensure that all team members are familiar with the BCP and DRP procedures. Conducting tests and simulations can identify any weaknesses in the plans and provide opportunities for improvement.

8.??????? Review and Update Plans Regularly: BCDR plans should not be static. Regular reviews and updates are necessary to accommodate changes in business processes, technology, and emerging threats. Continuous improvement helps keep the plans relevant and effective.

The integration of Business Continuity Plans and Disaster Recovery Plans is crucial for organisational resilience. These plans not only help businesses prepare for and respond to unexpected incidents but also ensure compliance with regulatory requirements, thus safeguarding financial stability and reputation. By understanding the differences between BCPs, DRPs, and Incident Response Plans (IRPs) and following the steps to create and maintain these plans, organisations can enhance their ability to withstand and recover from disruptions, ensuring long-term sustainability and success. The new standard condition introduced by the FMA serves as a key example of the regulatory emphasis on the importance of these plans, further highlighting their critical role in today’s business environment.

The Bulletin:

To obtain a full copy of the Bulletin, please visit https://incidentresponse.co.nz/bulletin