| 
Tracy Hall
Tracy Hall
Title: IT Assurance Manager
Age: 44
Experience: 25 years
Whether a fire or a power outage or a data breach, Tracy Hall has been helping banks prepare for and get ahead of disasters for more than two decades. She began her career at CAPS/Recovery Planner and then worked at Specialized Data Systems, before beginning her current role more than four years ago as an IT assurance manager at the Boston-based regional CPA firm Wolf & Co. The company also has offices in Springfield, Albany, New York and Livingston, New Jersey. Throughout the entirety of her career, Hall has worked in the business continuity space, which sometimes shifts focus based on critical events going on at the time.
“We have been working with clients on how to more closely align their business continuity and cybersecurity response plans due to the cyber landscape becoming so important and the uptick in cyber-related incidents,” she said. Banker & Tradesman caught up with Hall to discuss how banks should prepare for disasters and what infrastructure they should be implementing.
Q: What kinds of disasters do you help banks in the Northeast prepare for?
A: In order to be compliant with regulatory guidelines, banks should consider a large range of scenarios that could potentially cause outages. We work with our clients to help them identify those potential scenarios and then plan for them, guide them in selecting recovery strategies and figure out what would need to be done if a disaster occurs. It is important for banks to consider scenarios that are not just based on historical occurrences. Statistically speaking, disasters are location specific. In recent years, it could be argued that widespread regional type events are increasing. Banks should be considering both types of events and the responses to each.
Q: How specifically do you help banks prepare for disasters?
A: There are three major steps to engagement. One is creating a business impact analysis, which is the process of identifying and prioritizing the criticality of business functions and the resources that support those functions. We help businesses determine their priorities of recovery if something ever were to happen.
Another critical step is the risk assessment, which analyzes a variety of different threats including natural, manmade, cyber and pandemic threats to determine the likelihood of an outage and the potential impact if the threat were to strike. We also explore any mitigating controls in place to lessen the likelihood, impact or both particular threats. These steps are essential in creating a business continuity plan, which is the comprehensive process of responding to a business interruption. This includes notification or escalation of an event through technology and business recovery, as well as restoration of the affected facility and data center.
Q: What do you see as the current business continuity hot topics that banks should be focusing on?
A: There are several areas being scrutinized by regulatory bodies regarding business continuity planning. Cybersecurity preparedness is a big area of concern right now as we see increasing overlap between cyber Incident response planning and business continuity planning. Similarly, vendor management and business continuity planning are also integrating more through technologies being outsourced to service providers.
Testing has also become a growing focus. Examiners want to see proof that the plan you created can actually work and support the business in the documented recovery timeframes. With the increase of regional events, ensuring you have a well-documented plan for the recovery of personnel is critical. It is no longer sufficient to say that employees will be “relocated within the branch network.” Proving that the space, infrastructure and equipment is available is really what you need to be able to show.
Q: What assistance can your company bring to banks when considering cybersecurity as part of their overall preparedness?
A: In addition to assisting our clients in developing incident response plans, we work with companies to make sure they have cybersecurity training and communication procedures in place, so everyone from regulatory bodies to forensics are included in incident response plans that align with the business continuity plan. We also assist with the IT risk assessments that ensure critical systems are identified, backed up and protected from a security and business continuity planning perspective.
Communications is key in any type of event, both internally to disseminate critical information to facilitate a timely recovery, as well as externally to customers, stakeholders and media to help minimize impact to the business and its reputation.
Hall’s Five Business Continuity Risks
- Risks are increasing, especially with use of the internet and cybersecurity concerns.
- The increase in geological related occurrences (hurricanes, earthquakes, etc.) is something worth paying attention to.
- Increasing reliance on vendors and service providers compounds risk.
- Unstable economic and political arenas.
- Location specific events (fires, electrical outages, etc.) will always remain.
