Lack of Microsoft 365 Backup
Priority Level: One Category: Cybersecurity / Business Continuity
Description: The bank lacks a dedicated backup solution for Microsoft 365 (MS365), a critical system that should be backed up and integrated into the Business Continuity and Disaster Recovery (BCDR) Plan. Microsoft retains only 7 days of data after deletion or loss, leaving the bank vulnerable to permanent data loss from cyberattacks, disgruntled employees, or accidental deletions. This can disrupt client and general communications, and if documents are stored in MS365, it exacerbates risks to sensitive data.
Impact:
- Permanent data loss from incidents, leading to operational disruptions, financial losses, and reputational harm.
- Non-compliance with FFIEC guidelines on data recovery and backups, risking regulatory penalties and poor audit outcomes.
- Inability to restore critical communications or documents, affecting client services and business continuity.
FFIEC Reference:
- FFIEC Cybersecurity Assessment Tool (May 2017):
- "Controls for primary and backup third-party connections are monitored and tested on a regular basis." (p. various)
- FFIEC IT Examination Handbook, Management (November 2015):
- "Data recovery and reconstruction expense... business continuity program and the results of testing of the plan and backup systems." (p. various)
Recommendations:
- Implement a third-party MS365 backup solution (e.g., integrated with Datto or similar) to ensure long-term data retention beyond Microsoft's 7-day window.
- Incorporate MS365 backups into the BCDR plan, with regular testing for restorability.
- Assess data storage practices in MS365 and apply encryption or access controls to mitigate risks from insider threats or errors.
Prioritization Rationale:
- Priority One: These findings address critical cybersecurity and data protection risks with high potential for breaches, data loss, and regulatory penalties. They represent immediate vulnerabilities in cloud and remote access.