Crisis Management: It's All About Context

Rising Regulatory Demands

The National Cyber Security Centre (NCSC) calls for greater global resilience against increasingly complex and aggressive cyber threats. Among its recommendations:

• Crisis exercising to test organisational preparedness and response.
• Support for organisations of all sizes in improving resilience.

Regulatory bodies across sectors are also mandating evidence of resilience:

• UK Financial Services: The FCA and PRA’s Operational Resilience regulations require firms to test their response to severe but plausible scenarios by March 2025.
• EU Financial Services: The Digital Operational Resilience Act (DORA) mandates robust ICT system testing to validate controls.
• Critical Infrastructure in the EU: The Critical Entities Resilience Directive (CER) and NIS2 Directive impose requirements for hazard resilience, stress testing, and cybersecurity audits.
• Critical Third Parties: UK regulators now require critical third-party suppliers to the financial sector to demonstrate resilience. The forthcoming UK Cyber Security and Resilience Bill is likely to expand these requirements to other sectors.

Interdependence between sectors means disruptions can ripple across industries, affecting economies and essential services worldwide.

FAIL TO PREPARE, PREPARE TO FAIL

Crisis or incident plans can provide reassurance, but without proper testing, there is little guarantee they will work in practice. Crisis exercises enable leaders, managers, and operational teams to apply crisis management plans in a safe learning environment.

Effective crisis management depends on:

• A strong organisational culture.
• Open-minded commitment to continuous improvement.
• A dynamic crisis management team with clearly defined roles and responsibilities.

Scenario selection should be informed by threat intelligence and reflect the current risk landscape. Exercises can take several forms — tabletop, live real-time simulation, or hybrid. They should:

• Educate participants on the unique aspects of cyber crises.
• Strike a balance between realistic pressure and a safe environment for questions, mistakes, and learning.

Debriefing after exercises is essential to convert lessons identified into lessons learned. Implementation of recommendations requires executive buy-in and resource allocation.

FORWARD LOOK

The World Economic Forum stresses that cyber resilience must be treated as a strategic leadership priority, enabling protection of core business objectives and supporting long-term growth.

Key points from WEF’s Global Risks 2024:

• AI-generated misinformation/disinformation and cyber-attacks rank #2 and #4 among global risks.
• Cyber is a compounding risk factor — amplifying the impact of geopolitical conflict, economic instability, and natural disasters.

Implications for organisations:

• Cyber risk is interconnected with all operational risks and cannot be confined to IT.
• Risk management must be cross-functional, with cyber considerations embedded throughout the organisation.

David Ferbrache OBE, Managing Director at Beyond Blue, summarises:

“Exercising is a vital tool for combatting this uncertainty. Organisations may not be able to predict how they will be hit or by whom, but they can hone their responses and better prepare for the hard choices they will face in a major incident.”