BCP/DRP training exercise and audit

Context

A sector marked by numerous rules and a significant change in the regulations applicable to a crisis of cyber origin, a player in the financial sector (investment funds) wanted to strengthen its level of cyber resilience.

The entry into force of DORA was also a central element of the reflection and the support plan implemented.

While cyber resilience was initially approached through the prism of carrying out an exercise (sectoral obligation), the training continued with a mission of several months, from training in cyber crisis communication to the audit of crisis procedures.

Objectifs

• Carry out a cyber crisis management exercise in order to take stock of the level of maturity of the organization and identify areas for optimization;
• Increase the organization’s cyber resilience and systematize the performance of training;
• Test the appropriation and operationality of existing crisis procedures in the face of a realistic scenario;
• Test the internal and external communication strategy of the crisis unit;
• Train the crisis unit in the specificities of crisis communication of cyber origin;
• Assess the level of maturity of crisis and BCP/DRP procedures and the deviation from the state of the art;

Define a clear and operational action plan allowing the organization to enrich its documentary corpus, anchor its good reflexes and, overall, meet regulatory requirements (DORA).

Mission Description

The support was carried out in different stages:

• Immersive exercise for the decision-making crisis unit (over 0.5 days) and cold RETEX;
• The conclusions of the exercise having highlighted the need to strengthen the preparation of the unit on crisis communication topics of cyber origin, organization of a training session;
• Audit of the organization’s crisis system and BCP/DRP;
• Organization of a workshop to support the operations department in identifying the priority actions to be carried out to optimize the existing documentary corpus.

Challenges and specificities

The challenges related to this service were partly linked to a real need to operationalize the existing system.

Strong sectoral regulations lead to the implementation of procedures that are often exhaustive and meet regulatory requirements, but sometimes greatly lacking in pragmatism.

The objective was therefore to enhance the maturity of the organization in anticipating risks and structuring its crisis system while allowing it to evolve its processes to promote a more responsive response in the event of a crisis.

This involves, among other things, simplifying and clarifying the decision-making chain.

Alcyconia’s added value expertise

The combination of experts in digital law, cyber crisis communication and in-depth knowledge of the legal issues of the financial sector have enabled Alcyconie to offer support adapted to the organization, as its needs evolve.

The tailor-made support through training in small groups and thematic workshops also made it possible to identify the structuring points to strengthen one’s cyber resilience.