Use this module if your cyber incident involves activity such as finance and treasury management, income collection, and payments to residents and suppliers.
A serious cyber incident can have significant impacts on your council’s financial management, and in turn your ability to deliver critical services. The response to an incident typically requires an immediate, total shut down of IT services whilst the cause and impact are identified. This will cause significant impacts across service delivery and financial management, potentially for an extended period.
Even if an attack does not directly affect your core finance system, you may still experience significant impacts because of the incident and impacts on other systems (e.g. revenues, benefits, and housing rents).
Impacts are likely to include:
immediate operational risks due to lack of access to financial systems and data
revenue and cash flow impacts, with potential long-term impact on income collection and other revenue streams (e.g. benefits subsidy)
statutory and regulatory impacts, including reporting and audit
significant costs relating to the work of response and recovery, including costs due to increased demand and backlogs affecting services across the council.
Your key strategic actions
These are the critical actions to keep in focus throughout your response and recovery work. (Note: these are a strategic guide, not an exhaustive list of every action you should take.)
Do not expect a rapid recovery; plan for your systems to be impacted for weeks or months.
Expect services across the council to need additional support from the finance team, in addition to the work required to sustain and recover the finance operation itself.
Engage early with external partners (including auditors, banking providers, the Ministry of Housing, Communities and Local Government (MHCLG) and the Department for Work and Pensions (DWP)).
Prioritise financial processes with critical timings (e.g. payroll, month-end and year-end).
Establish clear teams and coordination for the financial response and recovery.
Clarify decision-making and governance for financial commitments during disruption.
Plan for continuity of essential services like payroll and urgent payments (e.g. benefits and payments to suppliers who have less financial resilience), including identifying where business continuity workarounds may introduce financial risk (e.g. benefits subsidy / local authority error).
Clarify insurance arrangements and engage insurers early.
Maintain communication with suppliers, debtors, and creditors.
Plan for income recovery and managing backlogs (e.g. council tax, rents).
Validate interim payment arrangements and make sure you have measures in place to mitigate fraud risks.
Ensure clear reconciliations between workaround systems and restored systems to avoid qualified accounts following recovery.
Account accurately for all response and recovery spending by using a unique emergency analysis code.
Capture learning for future resilience.
Learning from previous incidents
Other councils who have experienced serious cyber incidents have found that:
Using the Cyber Grab Bag as a comprehensive guide has helped to deliver a thorough response and recovery.
It is essential to define clear priorities for business continuity arrangements, focused on the most critical impacts for the council and residents so that teams know where to focus while normal working is disrupted.
While many of your usual controls and processes will rely on your finance systems, in the event of system disruption or unavailability it is still possible to set up manual or workaround control processes using alternative tools and approaches (e.g. additional checks on payments, manual records etc).
It is helpful to keep an offline copy of your scheme of delegation. If this is unavailable after an incident, work quickly to recreate and validate this, so you are clear about decision making authority.
It is also essential to work closely with legal and governance teams to ensure that appropriate arrangements are in place for financial decision making and approvals during the period of disruption.
It is safest to assume that sensitive data will have been stolen as part of the attack. This could include sensitive finance data. It is important to prepare for mitigations against these data breaches, and only step those down when you are confident that they are no longer needed. These may last for longer than the service recovery itself.
Guidance across the different time stages
A serious cyber incident can have very significant financial impacts. Ensure that the S151 and Deputy S151 officers are aware and kept informed as you clarify the initial picture.
Consider how you will communicate across your teams. The incident may have impacted your everyday communication systems (e.g. Microsoft Teams), so having up-to-date contact details of staff members to inform them of the incident is crucial.
Assume that the impacts will last for an extended period of time (months, not days or weeks) and work rapidly to develop a clear picture of critical timescales that you will need to plan for (e.g. payroll, month end, year end, payment runs, annual audit etc).
Build as clear a picture as possible of which systems are impacted, including financial processes outside of the core finance system (e.g. rents, Council Tax, business rates and benefits). Use this to guide your response and recovery planning. As part of this ensure that you also understand processes that rely on spreadsheets or other systems outside of the core finance system to inform your response, identify workarounds and plan recovery.
Consider how you can establish clear teams focused across the different aspects of managing the response and recovery for finance. Set up clear leadership and coordination and don’t restrict these to conventional structures (e.g. establish clear coordination arrangements across all income streams).
Make arrangements to ensure that you can accurately account for spend relating to the cyber response and recovery. For example, set up appropriate analysis codes if you have access to your finance system or a workaround solution where you do not.
Work with services to begin to build the picture of costs that you should expect to incur so you can plan for the financial impacts of the response and recovery. This will include technical response and recovery, and additional people and other resources required for the recovery work.
Clarify decision making, governance and reporting for financial commitments and procurement relating to the response and recovery. You are likely to find that normal processes are unable to respond at the pace needed. However, you will still need to demonstrate that you are acting in accordance with the scheme of delegation and democratic processes.
Ensure that finance is appropriately represented in Gold/strategic and Silver/tactical arrangements.
Make arrangements to inform partners so they are aware of the incident, provide them with appropriate assurance and help them know what to expect and plan for. For example:
local partners who joint fund work
suppliers who will want to know your plans for payments
Produce a schedule of regular payments to identify when regular payments are due and where emergency payments may be needed. Prioritise suppliers based on financial resilience.
Ensure that you have clear plans for managing payroll if normal payroll systems and processes have been impacted by the incident.
Where you need to process emergency payments outside of your normal systems, ensure that you make arrangements to account for these and take necessary steps to prevent fraud.
Identify where business continuity workarounds may introduce financial risk. For example, if you need to repeat previous benefits payments while normal systems are unavailable there may be risks relating to benefits subsidy or local authority error that you will need to monitor and will require you to engage with DWP.
Clarify your insurance arrangements, including whether you have cyber cover or public liability cover. Keep your insurers close to your recovery work and work with them to develop plans to support any residents, suppliers, or other partners who may be at risk of potential fraud because of stolen data or other actions taken by the threat actors.
Consider any impacts on your Treasury management caused by inability to access online banking or investment platforms, which could lead to missed debt repayments and lost interest revenue.
Once you are clear about systems that have been impacted, start to consider how you will plan for income recovery (e.g. Council Tax, Business Rates, housing rents and service charges) and key payments such as Housing Benefits payments. Consider how you will prioritise these, how you will manage backlogs of work resulting from the disruption, and how you will keep creditors and debtors informed.
Once your immediate response and continuity arrangements are in place, engage your internal and external auditors at the earliest opportunity. Ensure that they are aware of the incident, your response and recovery work, and plan together to ensure that you will be able to meet audit requirements when required.
Validate your payment arrangements. Confirm that arrangements are in place where urgent payments are needed (e.g. benefits, carers, support for vulnerable people and suppliers with least financial resilience).
Plan for arrears in income (e.g. Council Tax, Business Rates, rents, and service charges). Make sure you are clear about how you will keep debtors informed, how you will recover outstanding payments, and how you will maintain an evidence base of your communications to support your future debt recovery.
Make sure that you validate your arrangements to mitigate risks of fraud and overpayments. Be clear about how you will monitor and assure these.
Maintain communication with suppliers, continue to monitor where emergency payments might be needed to ensure continuity of service, and consider exploring where increased credit limits may be available.
Also maintain regular communication with central Government departments and agencies, such as DWP and MHCLG.
Plan for how you will assess data integrity across restored systems and interim records for business continuity arrangements to ensure that you understand any impacts on audit trails.
Plan for workarounds that might be needed to continue sharing information with partners.
Establish your plans for budget monitoring and forecasting while normal systems are unavailable.
Continue to monitor and plan for the costs of response and recovery.
Use this developing picture of the costs to start your planning for how you will fund them.
Continue to monitor your continuity arrangements, including payments, income collection and communications with partners, suppliers, debtors and creditors.
Use the service and timing priorities that you have established to ensure that there are clear priorities that will guide your recovery steps.
Continue to monitor income recovery to ensure that any long-term impacts on income are minimised.
Ensure that as your recovery to normal systems and processes takes place you have clear reconciliations with your workaround systems so you can demonstrate clear and accurate accounts. Validate this with your external auditors to mitigate against the risks of qualified accounts.
Continue to monitor and plan for the costs of response and recovery.
Ensure that arrangements are in place to capture learning from the response and recovery.
Ministry for Housing, Communities & Local Government: Please use your Local Government Engagement point of contact
You should also ensure that you have or collate contact information for your:
finance and supplier contacts
legal and regulatory contacts
partners.
Useful links and case studies
Gloucester City Council experienced a serious cyber incident in 2021. The impacts included loss of access to the Council’s payroll and financial systems, which meant they had limited financial oversight or budgeting capability.