Strong Disaster Recovery Practices in FinTech: What All Organizations Should Be Doing
Nearly 100% of Financial Organizations Have a Documented DR Plan
It’s true—according to Peak 10’s Financial Services and IT Study: Tackling the Digital Transformation, 96% of financial organizations have a documented disaster recovery (DR) plan. The vast majority are also using a considerable array of DR tools, and making a significant investment in DR overall.
- 86% replicate data
- 85% execute backups
- 68% have active-active designs
It’s not surprising that 96% said they have a plan—because they’re required to. The financial sector is a heavily regulated industry, and a single transaction can literally be worth millions of dollars. In a perfect world, every business would have a formal DR plan, but in the financial sector, there is no acceptable alternative.
Simultaneously, a solitary industry is faced with complex and demanding government regulations, processing and storing highly sensitive and valuable financial information, and avoiding negative impacts of potential cybersecurity attacks—all of which require a robust, tested disaster recovery plan. The financial sector can’t afford to lose their data.
Why Is DR So Impactful in Finance?
Considering the demands of government regulations and staying on top of cybersecurity, a considerable amount of resources are dedicated to DR in the financial industry. The industry-wide adoption of digitalization has added many additional applications and systems, which means more necessary protection measures. Uptime and availability are key to the day-to-day operations of finance, which also makes DR critical. Banks and insurance companies alike have to guarantee that if a problem brings down one environment, customer portals and applications will not be negatively impacted.
Testing: Annually Is Not Enough
Financial institutions are also relatively adept at DR testing programs, at least in consistency.
- 63% test once per year or less
- 27% test quarterly
- 6% test once per month or more
It’s interesting to note, though, that while finance takes DR programs very seriously, and seems to be testing consistently, they aren’t necessarily testing enough, especially considering the critical nature of their data, applications, and systems overall. At the same time, about one-quarter of the organizations who do execute testing usually uncover problems or gaps, which begs the question: how many untested environments are operating with glitches?
Here’s where a potential problem comes in: banks focus primarily on making sure that financial applications are up and running, mostly likely because those are the applications the government has requirements for, plus their absence will cause the greatest damage from a customer perspective. While mission-critical applications are a priority, there are other applications, which will not likely come up and run efficiently due to a lack of testing. When testing is conducted, many banks leave out applications that don’t fall under the tier 1 category entirely. However, ideally, DR testing should address the depths of all applications running in banking environments; even the ones that aren’t necessarily indispensable to business.
Prioritization could be a key improvement to make. Preserving the main revenue driver should still be the first concern, but categorizing ancillary applications as generally less important and not actually assigning tiers is a mistake—this is where financial institutions should be taking a closer look. If disaster does strike, while mission-critical applications might be up and running, the rest of business will be scattering trying to figure out how to take care of other objectives that are based in business continuity, and not technology. Financial institutions do stellar with their critical applications, but to avoid scrambling, scrutinizing their entire environments will be key for a fully healthy DR practice.
DR Distinctions in FinTech
It’s clear that the financial sector places particular emphasis on their disaster recovery practices. So, what makes this industry unique in the realm of DR? Two factors:
As mentioned, in finance, one transaction can be worth millions of dollars. Financial institutions want to know how quickly they can make transactions, and if they can be captured even in DR. Replication technologies with synchronous, nearby copies, as well as asynchronous remote copies, are common practices. If something happens to the main compute capability, they’ve already synchronously copied so that a write won’t complete until it copies to the second set of data. That way, the business will never lose both at once, or a single transaction.
Consider trading firms. Prices change quickly, so the faster a firm can make a transaction, the better the price they’re hoping they’ll get. One of the most important things for them is potential latency—it’s as important as the transaction itself. When you look at financial organizations’ DR plans, DR locations are typically not very far from the hub of the financial district because of the latency they’re trying to minimize.
To Cloud, Or Not to Cloud?
Another common piece of feedback from IT decision makers was the perception that cloud providers don’t have the ability to provide the same level of uptime financial institutions are capable of providing for themselves. This is what is keeping financial organizations from using the cloud for DR practices. They tend not to trust environments that aren’t on-premise and managed by employees.
“A cloud provider will never provide the amount of uptime that I can on-prem. I would rather spend millions of dollars and have my own prem. The data center we have hasn’t been down for 15 years. If a cloud provider would give the level of uptime and security that we need, then we would seriously consider cloud. They are just not there; they weren’t there 5 years ago.” – Director of Technology Services at US investment bank
The general hesitation seems to stem from two major factors:
When you talk to most C-level executives about cloud, they aren’t thinking about hosted private cloud. They’re predominantly thinking about a public cloud, or a shared infrastructure with no performance control due to other customers using the same compute.
Security fears are a major blockade to the cloud. Most decision makers express concerns for lack of proper security to guarantee that data won’t be accessed by another customer sharing the same environment. They want assurance that their data is absolutely segregated.
The resolution to the fear is in looking closely at where cloud is going. Today, it offers options for individual environments, with no one else sharing the infrastructure. The advantage to virtualization and cloud is the ability to transition or scale compute resources relatively easily. For example, if suddenly, you have trouble with a VM, you can bring up another instance of the VM. In contrast, in the physical world, if you have trouble with a server, you have to fail over to another server and do more work than using virtualization infrastructure to automatically move it.
Hybrid and hosted private clouds have become viable solutions by eliminating shared infrastructure. Banks and insurance companies physically segregate freely, while still taking advantage of virtualization features that deliver flexibility. These capabilities are ideal for hosting DR environments while maximizing resources and increasing efficiencies.
Recommendations for Financial CIOs and CTOs
Financial IT decision makers should know that the cloud environment has changed drastically, and evaluating it has become a viable option. Performance is much better, and a lot of the applications that didn’t used to run efficiently do now. Most financial applications run well in the right type of cloud environment, so carefully considering performance and security characteristics that are available today will make a tremendous difference in the decision making process. If a bank’s primary environment runs on-premise, a secondary site for DR scenarios will work well in the cloud, and eliminates potential impact from a disaster event that could affect all physical locations.
Additionally, it’s not uncommon for IT teams to want physical and visual access to equipment—this used to be a major hesitation even for colocation. However, reputable cloud providers typically have stringent security controls around environments, both physical and nonphysical, which is another tremendous change to the cloud. Considering this aspect and touring cloud providers’ data centers will give decision makers a firsthand experience of the changes that have taken place since the inception of the cloud. Most data center providers will allow customer access so that your team can be physically present to implement changes themselves.
Further Financial Services IT Insights
Peak 10’s Financial Services and IT Study: Tackling the Digital Transformation generated an abundance of data and insights which we’ve used to create helpful content around current financial IT trends and how to implement best practices within your organization. Visit the Peak 10 Industry Spotlight: Financial IT website to learn more, or contact us at www.peak10.com/contact-us or (866) 473-2510 to speak with one of our experts today.