Cybersecurity and operational resilience are an area in which financial institutions are giving more attention to. As cyberattacks grow in sophistication, regulators are pushing for enhanced resilience standards. This is evident with recently introduced directives such as Digital Operation Resilience Act (DORA) in the EU and directives being introduced by The Cybersecurity & Infrastructure Securities Agency (CISA), in the US. A key challenge with cybersecurity and operational resilience is being able to implement robust incident response plans, third-party risk management and meeting regulatory reporting obligations after breach or outages.

Why cybersecurity alone is not enough

Let’s look into the definitions to understand what cybersecurity and operational resilience are and understand why they go hand in hand in today’s world. CISA explains cybersecurity as “the art of protecting networks, devices, and data from unauthorised access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information.” The Federal Reserve Board defines operational resilience as “the ability to deliver operations, including core business lines and critical operations, through a disruption from any hazard. It is the outcome of effective operational risk management, combined with sufficient financial and operational resources to prepare, adapt, withstand, and recover from disruptions.” It is not enough for firms to only be protected, rather they need to ensure they have functional systems in place that will promote resilience. Indeed, it is essential in order to be able to survive and continue to thrive in the industry.

Key questions financial firms should ask to test their cybersecurity readiness and operational resilience

  • Can we keep the business running during a cyberattack? (Business Continuity)
  • How quickly can our IT systems recover after a disruption? (Disaster Recovery)
  • Are we equipped to bounce back from a major breach or outage? (Cyber Resilience)
  • Do we have effective controls in place to detect, respond to, and manage incidents? (Incident Management)
  • Are we prepared to communicate clearly and act decisively during a crisis – both internally and externally? (Crisis Management)
  • Who’s accountable for overseeing resilience efforts, and are they truly in control? (Governance & Oversight)

Testing and validating resilience

It’s one thing to have plans on paper, and another to know they work. Regular testing validates assumptions and reveals gaps.

· Tabletop Exercises: Simulate attacks or outages with leadership and IT teams. Explore decision-making under pressure.

· Training courses for staff: Short courses along with quizzes will raise awareness of potential threats staff could encounter in their day-to-day activities online and help to prepare them.

· Metrics That Matter: Move beyond compliance checklists. Track mean time to detect, respond and recover. Measure how quickly operations can resume after a disruption.

Testing isn’t just about IT, it’s about ensuring the whole organisation, from comms to legal to leadership, is ready.

It’s no longer enough for financial institutions to simply defend against threats, they must build resilience into the core of their operations. Cybersecurity and operational resilience must work together to ensure firms can withstand, respond to, and recover from disruptions without jeopardising their stability. By asking the right questions, testing their preparedness, and fostering a culture of resilience, firms can stay one step ahead. The goal isn’t just to survive an incident, but to come out stronger because of it.

By Eniola Badru, Legal and Regulatory Analyst, Corlytics