The importance of Cyber-Resilience, an economic imperative

Philippe Dann & Christophe Ruppert, EBRC
By LG 02/03/2020
Banking, Insurance & Fintech
Health & Life Sciences
Public Sector & European Institutions
Defense & Space
Technology & Software Providers
Energy, Logistics & Industry

Any organisation, whether in the public or private sector, will sooner or later have to implement a resilience plan if it wants to survive in an increasingly competitive market. To help companies define and use effective Business Continuity Systems, EBRC has developed Cyber-Resilience Portal, an online tool that centralises the entire BCMS process (Business Continuity Management System) and that aims to create a documented Management System.

Why Cyber-Resilience is so important?

In a “digital-dependent” economy, risk takes on a completely new dimension due to its rapid spread and its ability to impact your value chain. Being able to anticipate and prepare, and having ready-to-use solutions are the objectives of a standardisation process. Cyber-Resilience does not consist solely of meeting regulatory obligations, it has become a business imperative, a tangible vector of trust.
There is an undeniable commercial and competitive advantage that sets cyber resilience adopters apart from their competitors. As a result, customers, which we have supported up in achieving the ISO 22301 certification, have gained market shares thanks to the additional guarantee they are able to offer. In particular, they have been granted tenders because they were able to prove, thanks to their certification, that they had implemented all the measures for ensuring business continuity.

What are the markets benefiting from Cyber-Resilience?

Our customers and our prospects work in sectors such as finance, insurance, transport, health, agri-food and aeronautics. We regularly support customers throughout the process of obtaining ISO 22301 certification. This was the case for Arendt Services, in particular, a specialised PFS offering a full range of services aimed at helping companies to establish and manage themselves in Luxembourg, as well as for the Banque de Patrimoines Privés, Luxembourg’s first financial institution to have implemented a Business Continuity Management System which is fully compliant with the standard.

The importance of a specific Cyber-Resilience strategy: for business continuity system.

Cyber-Resilience service offer mainly covers activities relating to risk management, compliance with operational security and the IT transformation. There is often a gap between the level of requirements expressed by businesses and the current ability of the IT systems to meet those requirements. Our aim is to ensure that both of those parties are aligned so that in the event of a major incident, the company has access to a solution adapted to the business and that the IT system is able to deliver that one. To achieve this, we support our customers in developing a BIA (Business Impact Analysis) followed by a Business Continuity plan. The innovation contributed by EBRC consists in centralising all of that analysis work per business and per service within a central platform called the Cyber-Resilience Portal. Beyond the practical and security aspects of the centralisation of BIA storage and other components of a Business Continuity Management System, the Cyber-Resilience Portal makes it possible to create scenarios in real-time to facilitate decision-making. Let us not forget that a Business Continuity approach represents a long-term approach using the PDCA method (Plan Do Check Act). The Cyber-Resilience Portal makes it easier to implement a recurring process that contributes improving organisations’ resilience by providing managers with the resources to select from among the best options. Our solution provides with access to various alternatives, enabling to take a decision after understanding the potential ROI of each improvement considered.

Cyber-Resilience should be provided with adequate support to adopt good business continuity practices and implement a continuous improvement process based on IT certification such as the ISO 22301 standard. ISO 22301 specifies the requirements for planning, establishing, installing and implementing, auditing, revising, maintaining and continuously improving a documented Management system in order to create a layer of protection against disruptive incidents, reduce the probability of their occurrence, prepare for such incidents, and recover when they occur.


What is EBRC added value compared to the competition?

EBRC’s added value, both in the completion of service missions and in the development of the Cyber-Resilience Portal, lies in the perfect knowledge of the ISO 22301 standard. The methodology is based on that standard, and is continuously adapting based on current events. The ISO 22301 standard will be updated this year, to be published in late 2019, in order to become an umbrella standard that will cover information security and quality levels. EBRC teams have prepared for this. We can also provide our customers with valuable feedback. Another thing that sets us apart is the fact that we have become more than just continuity theorists, as we have followed the same pathway as that which we recommended to our customers, and the fact that we achieved ISO 22301 certification in 2016.


How to start a resilience process? Business resilience summarised in 5 points

  • 1. Starting from the business to evaluate impacts.

The first step consists of considering the business and analysing the gaps between the current situation and the requirements of the ISO 22301 standard.

  • 2. Identifying critical activities.

The effects of business interruption on each team must be assessed using various criteria such as the Recovery Time Objective (RTO), the Recovery Point Objective (RPO) and the Maximum Acceptable Outage (MAO).

This step consists of drawing up a list of the actions to be carried out in order to align the IT system with the business’ needs.

  • 4. Defining and testing crisis management components.

It is important to carry out crisis management exercises that match the current situation as closely as possible. This is one of the possibilities offered by the simulation and training platform of the Cybersecurity Competence Center (C3) with which EBRC has a partnership.

  • 5. Raising awareness and providing information to employees.

Cyber-Resilience is everybody’s business. Every employer, at their own level, must know what to do in the event of a crisis.