Skip to content
Back to all posts
Cyber Resilience: Preparing for the Big Breach
Business Continuity Management

Cyber Resilience: Preparing for the Big Breach

William C Hord
William C HordChief Strategy Officer - ERM Pilot

Cyber Resilience: Preparing for the Big Breach

ERM Pilot | Business Continuity & Resilience Series, Part 1 of 3 by William Hord - Chief Strategy Officer

Cybersecurity has been on the list of top operational risks for financial institutions for over a decade. What has changed in 2025 is the examiner expectation around resilience — the ability not just to prevent cyberattacks, but to detect them quickly, contain them effectively, and recover from them without permanent operational damage.

Prevention alone is no longer the standard. Resilience is.

What Regulators Have Said

The OCC's Spring 2025 Semiannual Risk Perspective is direct: "evolving cyber threats emphasize the importance of operational resilience." This is not a statement about cybersecurity controls in isolation. It is a statement about whether institutions can keep operating — at reduced capacity if necessary — while a cyber incident is being managed.

CISA has issued multiple operational advisories on specific vulnerabilities affecting financial sector organizations, with guidance extending beyond patching to incident response coordination, backup integrity verification, and recovery timeline validation. The FFIEC's Business Continuity Management Booklet explicitly lists cyberattacks as a primary continuity threat category — one that demands not just preventive controls but tested recovery playbooks.

The Federal Reserve's supervision framework and the OCC's FY2025 Operating Plan both identify cyber incident response as an area of active examination focus — with particular attention to tabletop exercises, post-incident review processes, and the integration of cyber scenarios into enterprise-wide continuity planning.

The Detection-to-Recovery Timeline

Incident response effectiveness is largely determined by three timelines: time to detect, time to contain, and time to recover. Each has a direct bearing on operational continuity, member and customer impact, and regulatory reporting obligations.

CISA's incident response frameworks identify detection capability as a foundational element — and one that many institutions underinvest in relative to prevention. Sophisticated threat actors often maintain persistent access to compromised systems for weeks or months before activating a ransomware payload or data exfiltration operation. An institution with strong preventive controls but limited detection capability may be operating with a threat actor already inside its environment.

For continuity planning purposes, the critical question is: what is the institution's minimum operating capability if its primary systems are compromised and need to be isolated? That floor — the processes, data, and infrastructure needed to serve members and customers at minimum viable capacity — should be explicitly documented and periodically tested.

Tabletop Exercises: Beyond the Annual Check-the-Box

The FDIC has advocated for "sound practices" in operational resilience that go significantly beyond annual IT recovery tests. Cyber incident tabletops — structured exercises that simulate a realistic attack scenario and test the institution's detection, communication, decision-making, and recovery response — are increasingly an examiner expectation, not a best practice.

A well-designed cyber tabletop should include: — A realistic initial scenario (e.g., ransomware detected in one segment of the network) — Decision points that test escalation protocols: when does IT escalate to senior management? When is the board notified? — Regulatory notification timelines: the FFIEC expects institutions to understand their reporting obligations under applicable guidance — Communication decisions: what do members and customers know, when do they know it, and who approves those communications? — Recovery sequencing: which systems come back online in what order, and what are the dependencies?

Exercises that surface gaps are far more valuable than exercises that confirm everything works. The goal is to find failures in a controlled setting, not to avoid finding them.

Backup Integrity: The Overlooked Vulnerability

Ransomware has evolved specifically to target backup systems. Modern ransomware variants identify and encrypt backup repositories before activating the payload visible to end users — meaning institutions that assumed their backups were an adequate recovery mechanism may find them compromised at precisely the moment they are needed.

CISA advisories have addressed this directly, recommending that backup copies be maintained offline or in isolated environments that ransomware cannot reach through normal network access. The FDIC's resilience guidance similarly emphasizes that backup systems should be regularly tested for integrity — not just confirmed to exist.

An institution that hasn't tested its ability to restore from backup under realistic conditions doesn't actually know whether its recovery capability is real.

ERM Pilot's BC Events module provides timestamped activity logging, scenario documentation, and direct linkage to BC plans — so your incident response is documented, defensible, and continuously improving. Start your free trial at ermpilot.com.

Article References —

1. Office of the Comptroller of the Currency. Semiannual Risk Perspective, Spring 2025. Washington, D.C.: OCC. Available at: https://www.occ.gov/publications-and-resources/publications/semiannual-risk-perspective/files/pub-semiannual-risk-perspective-spring-2025.pdf

2. Federal Financial Institutions Examination Council. Business Continuity Management. IT Examination Handbook. Washington, D.C.: FFIEC, November 2019. Available at: https://ithandbook.ffiec.gov/it-booklets/business-continuity-management

3. Cybersecurity and Infrastructure Security Agency. #StopRansomware Guide. Washington, D.C.: CISA, Updated 2023. Available at: https://www.cisa.gov/stopransomware/ransomware-guide

4. Office of the Comptroller of the Currency. Fiscal Year 2025 Bank Supervision Operating Plan. Washington, D.C.: OCC, October 2024. Available at: https://www.occ.gov/news-issuances/news-releases/2024/nr-occ-2024-111a.pdf

5. Federal Financial Institutions Examination Council. 'Financial Regulators Revise Business Continuity Management Booklet to Stress to Examiners the Value of Resilience to Avoid Disruptions to Operations.' Press Release, November 14, 2019. Available at: https://www.ffiec.gov/news/press-releases/2019/pr-11-14

Ready to transform your risk management?

Discover how ERM Pilot can streamline your compliance, automate workflows, and provide real-time insights for your organization.

Request a DemoGet Started

Stay Updated on ERM Pilot

Join our newsletter to receive the latest news, feature updates, and expert insights on all things risk related.

We respect your privacy. Unsubscribe at any time.