Perspectives 2019 2020 Public Sector

Key themes from Citi’s Africa Exercise • Preparation is Key: —— There is a need for a proper recovery strategy framework with playbooks for each sector and at a country-level. These playbooks should include escalation procedures, external communication and information sharing arrangements, roles and responsibilities, and clearly defined roles for the Bankers’ Association, Communications Regulator, and Central Bank. This information should be captured as appropriate within the national/financial crisis management frameworks. —— In addition to a sector playbook, both the private and public sector require their own broad institution- specific playbooks to help guide response practices with pre-defined trigger thresholds for deployment of containment procedures and escalation protocols. —— Banks whose revenue-generating teams signed-off/sponsored their playbooks, instead of delegating to their information security or business continuity teams, appeared to have a much better understanding of the trade-offs when making decisions. —— Central banks had a vital role to play in connecting the banking and payments associations, as well as developing a proactive mechanism to convene industry in the event of an incident. —— In particular, clarity was called for over who should handle media statement(s): individual banks (to manage their stakeholders and confirm they are not affected, which may see over 20 statements shared with the public, for example) or a single response from the central bank (to ensure market stability and reassure confidence in the market)? • Deeper Trust to Enable Information and Risk Sharing is Needed —— Value of information sharing was recognized; and more trust in the market is needed to progress this, which can be developed through collective exercising. —— Need to have a mechanism to share and review emerging risks, and to perform annual risk assessments with outputs shared and included in playbooks (with exercises then validating these). —— Many noted that it was important to keep a clear distinction between threat intelligence/information sharing for early warning purposes vs. for regulatory notifications/reporting requirements. on a single group “country” answer — and each option was designed to impact to Funding & Liquidity, Share Price, Market Confidence and Reputation, illustrating the balancing of risks and impacts in crisis scenarios. The pilot exercise also highlighted the power of creating a safe, learning environment. By leveraging Immersive Lab’s interactive online (web-based) platform at the event, the participants could directly and anonymously engage with the scenario whilst also benefiting from a structured discussion, with the multiple-choice providing optionality, driving debate within the country locations. By doing this, and using fictitious banks, participants were better enabled to engage in discussion, with no barriers to engagement, nor need to share details of their own cyber security programs and subsequent risk of inference that others were worse/better than the rest. 88 From Security to Resilience