About
The cyber crisis management model provides an end-to-end view of a crisis event, supported by benchmarks and international reference models, connecting all stakeholders and acting on the transformation of the mindset and the relationship with the issue.
Innovation presentation
Cyber-attacks are listed as one of the top 10 risks in the World Economic Forum, with potential losses of $ 6 trillion by 2021 and an increase in disruptive events in all sectors, intensified by the pandemic period.
Bradesco, with approximately 70 million customers and approximately R$ 1.3 trillion in assets, has an important role in protecting its customers' information, reinforcing its reputation of trust and credibility.
Considering this scenario, a robust Cyber Resilience Program (PRC) was established, as a broader strategic initiative for crisis management that integrated all areas of the organization, applying our cyber defense strategies, going beyond the borders of IT and Security, involving and sensitizing all the organization's players on the issue.
Bradesco went through a Security Transformation Program to raise its global levels of security maturity since 2016. In 2019, the CRP aims to align prevention, detection and response capabilities, to mitigate and stop cyber-attacks, reinforcing organizational resilience to maintain its integrity, protecting its data, applications and IT infrastructure.
The comprehensive scope of the program, fully aligned with regulatory requirements, covers:
• Detailed analysis of the current state: mapping of vulnerabilities, with a gap analysis compared to defined benchmarks and defined crisis scenarios
• Establishment of the PRC team, its governance and communication strategy
• Development of the future operation model: framework, policies, processes, roles and responsibilities
• Training of senior leaders in different areas across the company, testing scenarios in a cyber crisis session in Cambridge-USA (at the IBM facilities)
• Awareness-raising of the entire organization, including the Board of Directors, the Audit Board and the Board.
We involved the entire organization, with an integrated model covering the front to the back office, through the Cyber Resilience Program (CRP), which comprises: multilayer organization (specific groups) with a clear communication plan; structured methodology based on COBIT, COSO, BSI, ISOs, NIST frameworks, etc; use of artificial/cognitive intelligence to map threats; reformulation of the physical structure with dedicated spaces and support from the Corporate University with courses for employees and third parties.
Cyber scenarios were tested at the IBM X-Force Command Center, which allowed the simulation exercise to identify and apply improvements to the model in a quick and improved way, being the 1st Latin American bank to use the center. In the tests, the execution of the playbook (operating guide during the crisis) was simulated, making people experience the emotions of the moment, with all its complexity. It demonstrated that, in addition to technical requirements, emotional and psychological maturity are necessary. Decisions during a crisis are made by people, who need emotional preparation. Some of the events tested were: publications on social networks, incoming call about data leakage, blackmail, website adulterations, news reporter interventions, blocking of stations, invasion at ATMs, among others.
Also in the same period, the operating model was benchmarked with the following institutions: District Attorney’s Office of Connecticut, U.S. National Security & Cyber Crimes Unit; New York Police Department.
Another action of great relevance was partnerships with national institutions, such as integration via the Febraban group to share cyber-counterattack actions, and also the exercise of the Cyber Guardian exercise, coordinated by the Brazilian Ministry of Defense.
Among the results achieved are the enhanced maturity among those involved and the creation of governance with levels of responsibility between the operational, tactical and strategic groups, which included a multi-layered and synchronized communication plan that includes the entire organization and all hierarchical levels, from the involvement of senior executives (members of the Board and Officers) to the most impacted departments: IT Governance, Risk Management, Security, IT Infrastructures, Marketing - Press Relations, Retail, Corporate and Investments, Social Networks, Legal, Operations, Investor Relations. Active participation and involvement during the establishment of the model and in simulations were instrumental in promoting a faster and more accurate decision-making process during a stressful situation of a crisis.
The integrated model included an end-to-end view of a crisis event and connected all stakeholders:
• Technical groups, mainly in IT, whose role is to find technical solutions to stop attacks during a crisis and avoid further damage and losses for customers and the organization;
• Crisis intelligence orchestration group: responsible for coordinating all stakeholders in each stage of the crisis and for bridging communication between them and senior leaders;
• Strategic group: responsible for the business tactical solution that can reduce losses and impacts, decide for immediate bypass actions.
We consider that one of the biggest benefits is the transformation of the mindset: each person understands that cyber is not only a matter of IT. Everyone can contribute with prevention, from product design to individual actions, such as clicking on a malicious link, and, in times of crisis, knowing exactly how to act and behave, based on pre-established plans.
*FEBRABAN: Brazilian Federation of Banks - a non-profit association that is committed to strengthening the financial system and its relations with society and contributing to the country's economic, social and sustainable development.
Uniqueness of the project
The most important achievement of this initiative is to transform the mindset: to make all employees aware that cybernetics is not just a matter of Technology and Security, but a general issue for the organization.
Everyone needs to contribute to prevention, which can be during the design and launch of a new product or in individual actions, such as clicking on a link attached to a malicious email.
Communication and awareness involved all levels and areas, and brought executives and senior leaders to experience the situation themselves (in this case, a cyber-attack), making everyone better understand their roles, responsibilities, skills and abilities needed to face such a challenge, in addition to understanding what is at stake if the process does not work properly.
In addition, it was possible to improve the current Contingency and Recovery Plan in three fronts:
• People: expanding the number of trained people, with independence to carry out the right measures during an event and at the appropriate time
• Infrastructure: technical tests, business tests and integrated management - a new investment was pointed out to have a suitable environment for continuous tests similar to those of IBM
• Making current methodologies, processes and solutions, known to the main participants
In terms of innovation, we have the use of Artificial Intelligence for mapping current vulnerabilities and threats and models to predict future threats, with the creation of algorithms to deal with attacks automatically and seek solutions/corrections in real time.
Currently, Bradesco is also working together with the Central Bank of Brazil and FEBRABAN to implement a cyber security program and best practices with others companies and banks. We also supported the Brazilian government in the Cyber Guardian program, contributing to the implementation of the "Cyber Space Protection" initiative to develop and install measures to protect Brazil's critical infrastructure defined by the guidelines of the Central Bank and the Ministry of Security.
