Financial services firms face some of the strictest regulations for IT disaster recovery and cybersecurity, leading them to advance recovery procedures to increase efficiency while meeting regulatory requirements. While the regulatory landscape is vast, there are 9 well-known IT disaster recovery regulations impacting financial companies.
We’ve worked with leading financial services firms to help advance and automate their IT disaster recovery and other IT operations processes to reduce costs, improve efficiency and attain ROI. Cutover’s 2023 survey of 300 IT executives and decision makers found that, compared to other sectors (14%), more financial services firms (43%) describe their organization as ‘advanced’ in incorporating automation into disaster recovery processes. Advanced automation is described as a well-defined automation strategy with clear milestones that is regularly reviewed.
However, it’s not all positive news. In comparison to other sectors, financial services respondents also reported an increase in IT outages, longer recovery times now than 1-2 years ago and specific implications from outdated disaster recovery plans. Read below for a summary of key survey findings comparing financial services respondents to other sectors.
Survey results: Financial services cyber and IT disaster recovery
An increase in IT service disruptions in the last 12 months
Financial services firms reported an increase in outages across all three areas surveyed: cloud architecture, on-premises architecture, and cyber attacks. The most significant difference is in cloud architecture. 91% of financial services firms report an increase in IT disruptions from cloud architecture compared to only 74% of firms in other sectors. The complexity of cloud architecture can potentially drive an increase in outages and failures, which are also more challenging to recover from.
Full recovery from cyber attack outages takes longer
Financial services firms agree that it takes longer to fully recover from a cyber attack outage now than 1-2 years ago. An astounding 96% of financial services companies cite they believe full recovery takes longer for a cyber attack compared to only 85% of respondents in other sectors. With the increasing sophistication of bad actors, cyber attacks are at a level of complexity and unpredictability above traditional IT disasters that cause technology outages. It’s important to consider the nuances and key differences between IT disaster and cyber recovery when building cyber recovery plans.
Operational disruption from cyber attacks is a top concern
When it comes to business implications from cyber attacks, financial services companies are more concerned about operational disruption compared to other sectors. 68% of financial services respondents rank operational disruption as one of the biggest concerns; while only 55% of respondents in other sectors cited it as a top concern. Their focus on avoiding operational disruption is also shown through their recovery time objectives (RTOs). Compared to other sectors, 16% more financial firms want to achieve an RTO of one hour or less for mission-critical applications in the next twelve months. Maintaining business operations is critical for all enterprises, but financial firms are more concerned about disruption and avoiding risk.
Outdated IT disaster recovery plans can cause reputational damage
Outdated disaster recovery plans can significantly increase risks to any business - impacting the overall company, customers and shareholders. Of the potential impacts, 60% of financial services companies consider reputational damage one of the biggest risks of outdated disaster recovery plans. By comparison, only 41% of firms in other sectors consider it a top risk.
Additionally, only 19% of financial services companies constantly update or evaluate their disaster recovery plans, while 21% evaluated or updated them over one year ago. The higher the risk for an organization, the more frequently the IT disaster recovery plan should be reviewed, tested and updated. A best practice is to review plans annually, as a minimum, but more frequent is better, especially for regulated industries.
Best-in-class IT disaster recovery automation is characterized by regular exercising and improved control
Best-in-class can be defined in many ways - it’s in the eye of the beholder. Our survey listed the following ten characteristics of best-in-class disaster recovery automation:
- End-to-end focus encompassing evaluation, design, management, monitoring, reporting and governance
- Improved visibility and control of recovery processes
- Regular testing and exercising disaster recovery plans
- Remove complexity rather than add to it
- Continuous awareness and real-time monitoring
- Education for IT and cloud resilience stakeholders
- Frequent review of disaster recovery strategy and processes
- Integrated, unified solution
- ROI/effective cost containment
62% of financial services firms cite that the regular testing and exercising of disaster recovery plans characterizes best-in-class automation. Secondly, they favor improved visibility and control of recovery processes. To ensure an IT disaster recovery plan actually works, it needs to be regularly tested, exercised and updated from lessons learned. Regulatory bodies are increasing the pressure on financial services firms to improve disaster recovery plans and prove recovery. In turn, these firms are placing higher value on testing and exercising disaster recovery plans and improved control of processes.
IT disaster recovery automation strengthens processes and posture
Incorporating automation into IT disaster recovery plans proves beneficial in many ways. Our survey finds that enterprises consider a broad range of benefits, but there are two that stand out.
First, more than half of financial services firms, or 51%, consider process improvements in other parts of the business as a benefit of disaster recovery automation. Automating disaster recovery should be part of a broader automation strategy that impacts multiple areas of an organization. Automation reduces manual tasks and human error during a recovery, but can also stretch to other parts of the business.
Second, 49% of financial firms cite a strengthened recovery posture as a key benefit. In comparison, only 36% of firms in other sectors view this as a gain. A strengthened recovery posture goes hand in hand with confidence, and automation plays a key role in helping gain confidence in disaster recovery, whether for IT or cyber.
Automating cyber and IT disaster recovery for financial services
Financial services face stringent regulatory requirements, often with strict RTOs, for disaster recovery. It’s unsurprising that they are looking to automate disaster recovery to mitigate risks and meet regulations. However, only 66% of financial services firms think cyber and IT disaster recovery needs to be more automated within the next 12 months to avoid serious service disruption and the associated consequences.
Cutover’s Collaborative Automation SaaS platform helps global financial services firms and other enterprises connect teams and technology. Automated runbooks enable the standardization and automation of IT operations processes like IT disaster and cyber recovery. Contact us here to learn more or email info@cutover.com.