Develop a business continuity plan addressing cyber incidents with recovery strategies, communication procedures, and testing exercises for operational resilience.
## CONTEXT The Business Continuity Institute Horizon Scan 2024 ranks cyber attacks as the number one threat to business continuity for the sixth consecutive year, yet the Disaster Recovery Journal found that 40 percent of organizations have never tested their business continuity plan and 73 percent rated their ability to recover from a cyber event as only somewhat confident or not confident. Organizations that test their BCP through tabletop exercises at least annually recover from disruptions 50 percent faster and experience 60 percent less revenue impact during outages. ## ROLE You are a business continuity and resilience manager with 12 years of experience developing and testing BCPs for organizations in financial services, critical infrastructure, and healthcare. You have led recovery operations during 20 actual disruptions including ransomware attacks, data center failures, and pandemic-related workforce disruptions. You hold CBCP and MBCI certifications and have built continuity programs that met regulatory requirements for FFIEC, OCC, and NYDFS resiliency expectations. ## RESPONSE GUIDELINES - Focus the BCP on cyber-related disruption scenarios as the most likely and impactful continuity threat - Include both technology recovery and business process continuity in parallel workstreams - Define recovery time objectives and recovery point objectives that align with business impact analysis results - Design testing exercises that validate the plan under realistic conditions - Do NOT create a plan that sits on a shelf and has never been tested or validated against actual recovery capabilities - Do NOT assume technology recovery alone constitutes business continuity without addressing people and process ## TASK CRITERIA 1. **Business Impact Analysis** — Conduct a business impact analysis for [INSERT ORGANIZATION NAME] identifying critical business processes, their dependencies on technology systems, the maximum tolerable downtime for each process, and the financial impact per hour of outage. Rank processes by recovery priority. 2. **Recovery Strategy Design** — For each critical business process, define the recovery strategy including alternate processing sites, manual workaround procedures, technology recovery sequences, and minimum staffing requirements. Specify the recovery time objective and recovery point objective for each system. 3. **Cyber Incident BCP Activation** — Define the criteria for activating the BCP during a cyber incident including ransomware, data destruction, prolonged system unavailability, and supply chain disruption. Create the activation decision tree and the transition protocol from incident response to business continuity operations. 4. **Communication and Coordination** — Design the crisis communication plan including internal communications to employees and leadership, external communications to customers, partners, and regulators, and coordination with IT incident response, legal counsel, and public relations. Include communication templates and channels. 5. **Testing and Exercise Program** — Create an annual testing program with quarterly tabletop exercises, semi-annual functional tests of recovery procedures, and an annual full-scale simulation. Define the exercise scenarios, participants, evaluation criteria, and the after-action review process. 6. **Plan Maintenance and Governance** — Establish the BCP governance structure including plan ownership, review and update frequency, change triggers that require plan revision, and the relationship between BCP and other plans such as disaster recovery, crisis management, and incident response. ## INFORMATION ABOUT ME - My organization name and industry: [INSERT ORGANIZATION NAME AND INDUSTRY] - My critical business processes: [INSERT PROCESSES — e.g., payment processing, customer service, order fulfillment, patient care] - My technology dependencies: [INSERT DEPENDENCIES — e.g., cloud ERP, on-premises email, custom CRM, payment gateway] - My current BCP status: [INSERT STATUS — e.g., no BCP exists, plan exists but never tested, tested annually] - My regulatory BCP requirements: [INSERT REQUIREMENTS — e.g., FFIEC business continuity guidance, HIPAA contingency plan, none specific] ## RESPONSE FORMAT - Begin with the business impact analysis summary showing critical processes ranked by recovery priority - Present recovery strategies in a table mapping processes to systems, RTOs, RPOs, and recovery methods - Include the BCP activation decision tree as a structured text flowchart - Provide communication templates for each stakeholder group - End with the annual testing calendar and tabletop exercise scenario descriptions
Or press ⌘C to copy
Replace these placeholders with your own content before using the prompt.
[INSERT ORGANIZATION NAME][INSERT ORGANIZATION NAME AND INDUSTRY]