Fighting Disaster Through Business Continuity Planning

Written by

As Hurricane Ian began to coalesce in the Caribbean in late September, all of Florida hunkered down. This included Climate First Bancorp, the holding company for $250 million Climate First Bank, which serves primarily commercial organizations. The storm was initially expected to make landfall in the U.S. by hitting St. Petersburg, Florida, Climate First’s headquarters. The bank’s leaders knew that they had to begin preparations, so they turned to their business continuity plan. 

The two-year-old bank is also in the middle of shifting its data storage to a third-party, so servers aren’t hosted at individual branches. As the storm rolled forward, though, the bank had to undergo a temporary shift of the data and operations from the St. Pete location to one in Winter Park, near Orlando. This gave the organization protection in case St. Petersburg saw significant damage. 

It served them well. As the state suffered flooding and destruction that reports have estimated between $50 billion and $65 billion, St. Petersburg and Orlando avoided the worst of the storm. Still, customers saw little disruption and the experience further prepared Climate First Bank for another hurricane that would hit weeks later. “We’re a climate focused bank, and this is supposed to be more than a 100-year flood,” says Lex Ford, president at Climate First Bank. “How many years in a row have we had a 100-year flood?”

Business continuity planning isn’t just a nice-to-have, but a requirement by regulators. How robust the continuity plan is, however, will determine how ready the organization can react when unexpected disturbances or upheavals in the normal course of business occurs. With the rate of natural disasters rising, so does the possibility that banks will have to lean on continuity preparation. Boards have a responsibility to ensure that such plans have robust strategies in place, but many organizations lack certain coverage.

Business continuity planning within institutions shifted in response to Covid-19. With more than 80% of executives and directors reporting that their organizations have remote workers, 44% saw a gap in their bank’s business continuity plan with regards to remote work procedures and policies, according to Bank Director’s 2022 Risk Survey, conducted in January 2022. That rate is down from 77% admitting such a gap in 2021. 

Meanwhile, despite the increase in intensity of hurricanes and other tropical storms since 1995, according to the Environmental Protection Agency, only 16% of respondents said their board has discussed the impact of climate change on the organization at least annually, according to the 2022 Risk Survey. Six out of 10 respondents said their board and senior leadership team understood the physical risks the bank faced due to climate change.

But when it comes to continuity preparations, “you’re not just planning for things that are obvious,” says Julie Stackhouse, a director at $27 billion Simmons First National Corp., headquartered in Pine Bluff, Arkansas. Stackhouse also served at the Federal Reserve Bank of Minneapolis in 2001, and was at a meeting in the New York Federal Reserve during 9/11. She witnessed first-hand the response of financial institutions. This experience of seeing banks react to the sudden attack crystalized the importance of continuity planning for Stackhouse.

When a disaster hits, “human beings have an emotional response,” says Stackhouse. Employees will worry about family and friends, not just the bank. During these moments, “you need to think about the practicality of personality,” Stackhouse adds.

How will employees respond under the pressure of an attack or a storm that destroys nearby homes, or a ransomware that could threaten their jobs? Considering those emotions during moments of clarity — and planning for an expectation that some employees won’t be available — is vital to the success of any continuity plan. For boards, ensure that management has considered the employees’ emotional response to such situations, or else the best plan may prove worthless when pressure rises. 

Climate First’s plan deals with the human side by spreading employees across the state. Even with two branches, the majority of its employees work from home. This served them well during Ian. But the bank took its experience with Ian and began to expand the states that it would hire from to ensure an interruption in Florida wouldn’t impact every employee of the bank. Some employees work permanently outside the state, and others occasionally do. “Many [new hires] live three, four, five states away,” Ford says. 

It’s one strategy the bank has used to counter the threat of any one incident shutting the organization down. But it’s a solution unique to the institution itself. For directors, it’s vital to review the continuity plan, seeking insight into key issues for the individual bank. 

“The first question” for boards, says Stackhouse, “is have you seen the business continuity plan? Do you know how often it’s updated? Do you know if the key expectations are laid out in the plan?” 

Stackhouse says that it’s surprising how many directors have failed to even inquire about the plan on this basic level. Once you have looked at the plan, though, you need to go further, asking about how communication will occur if a disturbance to the organization’s infrastructure takes place, Stackhouse says. How will leaders communicate with employees and each other? Banks should have tactics in place for such communication and expect different layers of disruption. You may not know what unexpected disaster could eventually impact the organization, but you can lean on other scenarios — in the news or experienced directly by the bank — to prepare in case communication is disrupted in an unexpected way.

Another key question: Does the bank have business continuity staff? As a director, know what their roles are, what they do and how they handle key issues within the continuity strategy. Having ownership over the continuity plan will prevent it from becoming a secondary concern. “It is never a good answer if it’s everybody’s responsibility,” adds Stackhouse. 

One of the best ways to pressure test your institution’s continuity plan is to have practice runs with scenarios that could prevent the bank from operating. Discussing these scenarios will allow the organization to see what works, what doesn’t and what should be tweaked. Directors should take part in many of those tests, since they will likely be a key resource if a large enough event takes place. Not to mention, in such scenarios, management may lean on boards of directors for guidance.

For community banks, where resources may be more limited, focus on events that are more likely to occur. This will depend on the organization but could be a hurricane or extended power outage or cyberattack. Having run-throughs while leaning on the continuity plan will test what the C-suite has put together. Did communication hold? What additional resources do employees need to do their job? How did they react? Seeing this under a guided test-run will ease nerves if the real event occurs. 

Larger banks may have a team that can run specialized tests to simulate very specific scenarios, like, say, a war or unexpected attack on the nation. While you may not know what scenario will occur, having these test-runs will allow the bank to have case studies on hand, in the event a similar disruption happens.

For Climate First, the plan they put in place served them through the hurricane season this year. They will incorporate their experience into continuity planning for the future. The goal? To ensure customers never realize a disruption occurred. 

With the most distant client living in Hawaii, that person “probably didn’t even know we were going through a storm,” says Ford. 

“And I hope they couldn’t tell.” 

* * *  

For more information about other aspects of business continuity planning, consider reading “Getting Proactive About Third-Party Cyber Risk,” or  “The Topic That’s Missing From Strategic Discussions.” 

Bank Director’s 2022 Risk Survey, sponsored by Moss Adams LLP, surveyed 222 independent directors, CEOs, chief risk officers and other senior executives of U.S. banks below $100 billion in assets to gauge their concerns and explore several key risk areas. The survey was conducted in January 2022.

How Poor Communication Practices by Directors Increase Cyber Risk

Written by


cyberrisk-10-9-17.pngThe role of a corporate director is continuously expanding, particularly in the banking space. Beyond growing profits, today’s directors are also responsible for ensuring corporate ethics, social responsibility, cybersecurity and more. Unfortunately, many directors are still using their old communication tools. A recent report from the New York Stock Exchange and Diligent found that the communication practices of directors and executives are potentially increasing their company’s level of cyber risk for the sake of personal convenience.

These findings are particularly alarming in the context of recent regulatory pressures on boards to be held accountable for data privacy and cyber breaches—including a recent ruling by the New York State Department of Financial Services applicable to all financial services firms conducting business in New York, and the impending impact of the European Union’s General Data Protection Regulation for every company that serves EU customers. (For further details about the New York regulations, see “New Rules for Financial Firms in New York Put New Onus on Boards.”)

The NYSE/Diligent report noted that while directors and executives have access to sensitive data, they operate with little-to-no direct oversight by the company’s IT/data security teams, and are therefore not restricted to using only secure communication channels when discussing board business. In fact, of the 381 corporate directors of publically traded companies surveyed for the report:

  • Ninety-two percent use personal email accounts (outside corporate firewalls) at least occasionally to conduct board business.
  • Fifty percent regularly download confidential company documents onto personal devices or computers.
  • Sixty-two percent are not required to undergo cybersecurity training.
  • Forty percent “didn’t know” if the board had ever conducted a security audit.

So what what are some best practices for secure board communication that banks and financial institutions can employ to mitigate cyber risk and prepare their directors and executives to meet the challenge?

Training and Assessments
Cyber threats can change at a moment’s notice, and regulatory requirements in the cybersecurity space continue to evolve. Regular training is imperative for board members, especially experienced directors who need refreshers or may not be aware of the latest risks. Customize the training to include a review of the practices your company expects from directors to ensure they are handling sensitive information appropriately, and continue to revisit these on an annual basis.

Bring the data security team into the boardroom to conduct an audit of directors’ communication practices. By ensuring that directors are handling documents only through secured and encrypted channels, your company can minimize exposure to some of the worst penalties of the new regulations.

Also, leverage the annual board evaluation by making cybersecurity a key component of board success. Query directors on their level of readiness to handle a material data breach or leak, and their understanding of the board’s responsibility versus the roles of IT and the management team. From there, the company can identify areas where further education and training are needed.

Keep Business and Personal Separate
Free email service provider use has been the center of too many corporate cyber incidents in recent years—yet directors continue to use personal email as a primary communications method rather than adopting more secure technology. Why? While internal emails and servers typically have heightened security and stronger encryption, many directors reject company-issued email accounts because they serve on multiple boards, which could lead to a single director having to check multiple inboxes and multiple calendars to conduct board work.

But what directors gain in convenience by using personal email, they lose in increased risk. The better solution? Give up on email altogether and opt for a secure messaging tool.

Secure and Convenient Technology
Select a secure messaging tool that is designed specifically for director communication and can be integrated into your existing governance software. There are a number of considerations to keep in mind. Do your directors prefer to use mobile? Do they want to make digital edits while reviewing board docs? What level of protection and encryption do you need?

These platforms can alert directors’ mobile phones when messages arrive and allow them to login with biometrics—while still enabling the data security team and corporate secretary to control record retention and data encryption. It not only facilitates convenient board communication, but can also be a last line of defense in case devices are stolen in transit, lost on planes or impacted by viruses/malware while connected to unsecure Wi-Fi.