3 key resiliency planning considerations for financial institutions

As the financial services sector faces evolving risks and regulatory scrutiny, effective resiliency planning is paramount. In a recent webinar, industry professionals from RSM US LLP and certification organization Sheltered Harbor® explored how financial institutions can bolster their operational resilience to withstand disruptions ranging from cyberattacks to other disasters.

Modern financial institutions operate in a landscape shaped by sophisticated cyberthreats, artificial intelligence-driven fraud, complex third-party relationships and unpredictable global events. The ability to maintain uninterrupted services during crises is a regulatory expectation and a competitive imperative. Executives must view resiliency planning as a strategic priority, with a focus on business continuity, disaster recovery and organizational resilience as the foundation of a robust response to disruption.

Below, we highlight three key areas of focus for resiliency planning. We also explore the critical role of frameworks like Sheltered Harbor in safeguarding vital operations and data.

1.  Business impact analysis

Conducting a thorough business impact analysis (BIA) is critical for financial institutions’ resiliency efforts. By systematically identifying critical business activities, resources and dependencies, institutions can better prioritize their response and recovery efforts. A resilience-focused BIA serves as the cornerstone for critical-service continuity planning, ensuring that resources are allocated to the most essential functions and that recovery strategies align with both business needs and regulatory requirements. The organization should update the BIA data to further inform disaster recovery and cybersecurity resilience planning and identify gaps that need mitigation for this broader purpose.

2.  Comprehensive and validated continuity plans

Business continuity and resilience plans are critical to mitigate risk, but such plans are only as strong as their details and validation processes. A robust business continuity and resilience plan requires detailed documentation of recovery steps, responsible parties, escalation procedures and communication protocols. Regular testing and validation help ensure plans remain effective and relevant. Alignment with recovery time objectives for critical services and recovery point objectives is critical, as is incorporating lessons learned from exercises and real incidents.

Frequent missteps in recovery planning include outdated documentation, insufficient testing and failure to align plans with actual business needs. To avoid these pitfalls, executives should foster a culture of continuous improvement. That involves regularly reviewing and updating plans to account for new threats, regulatory changes and lessons learned from incidents. Putting together a business continuity and resilience steering committee comprised of key stakeholders is also important for coordinating these efforts. Regular check-ins between the business continuity coordinator and leaders of all critical functions can also ensure strategic and operational alignment.

3.  Cybersecurity and third-party risks

The sophistication and speed of cyberthreats, often powered by AI, have fundamentally reshaped the risk landscape. Financial institutions must go beyond traditional defenses by adopting flexible, adaptive plans that address both internal vulnerabilities and external dependencies. This includes strengthening oversight of third-party vendors and ensuring their resilience measures are integrated into the institution’s overall strategy.

Even though, according to recent RSM research, reported breaches declined in 2025, it’s important that organizations not get too comfortable in the face of cybersecurity threats. According to the findings of the RSM US Middle Market Business Index Special Report: Cybersecurity 2025 from the first quarter of the year, nearly one in five (18%) of middle market companies experienced a data breach in the previous year. That is down from a record-high of 28% in 2024. The decline in reported breaches “is certainly positive,” the report noted, “but this year’s results are consistent with data from previous years outside of the spike in 2024. In addition, with methods becoming more sophisticated, some attacks may go undetected, highlighting the importance of continuously strengthening controls.”

Sheltered Harbor: Another line of defense

Attaining a Sheltered Harbor certification is a crucial step for financial institutions pursuing greater cyber resilience. Sheltered Harbor is a nonprofit, industry-led standards setting and certification organization comprised of financial institutions, core service providers, national trade associations, alliance partners and solution providers dedicated to enhancing the financial sector’s stability and resiliency.

Designed specifically for the financial sector, Sheltered Harbor offers a comprehensive approach to protecting and recovering critical account data during severe cybersecurity events. By implementing data vaulting and standardized resilience protocols, financial institutions can ensure rapid restoration of core services, even when traditional IT infrastructure is compromised. The framework complements existing business continuity and disaster recovery strategies, providing an additional layer of assurance for both institutions and their customers.

Next steps

Assessments and tailored continuity programs can help financial institutions develop comprehensive, actionable plans to boost resilience. Working with a third-party advisor and Sheltered Harbor qualified assessor like RSM can be a good first step in developing a timely roadmap to meet the challenges of an increasingly complex financial landscape.