Kyle Boffa is the Disaster Recovery and Incident Manager at Bank of Valletta plc with over 17 years of experience at the institution. Based in Malta, Kyle has a deep background in disaster recovery, managing and enhancing the bank's resilience and response strategies in critical situations.

In an exclusive interview with CIOReview Europe, Boffa shared his views on disaster recovery and incident management in everyday operations.

Journey towards Bank of Valletta

My career journey has been shaped by a thorough understanding of how the Bank operates. From my early student years, I have started working in various areas across the Bank, from branches to operational departments, and eventually to the IT section. This has offered me a deep insight as to how all functions of the Bank operate and are intertwined, thus showing the commitment they have to resilience and availability. After traversing to the IT services section, I gradually specialized in areas that demanded both technical precision and strategic foresight. Over time, I gravitated towards Disaster Recovery and Incident Management, recognizing their critical role in safeguarding organizational continuity and trust, and understanding the pivotal role this has in the success of Bank of Valletta.

Cultivating Customer Trust and Market Confidence

My approach to Disaster Recovery in the financial industry is anchored in the belief that resilience must be both regulatory-compliant, whilst more importantly, operationally sound. In a sector where even minutes of downtime can erode customer trust and market confidence, I prioritise aligning recovery strategies with business-critical functions. This means ensuring that Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) are not just theoretical benchmarks, but realistic and achievable under pressure. The Bank also aims at having scenario-based planning—tailoring recovery procedures to specific threats such as cyberattacks or infrastructure failures, so that our response is both targeted and effective.

“True resilience is built when every team understands its role and the organisation can adapt swiftly without waiting for a crisis to validate its plans.”

Equally important is the integration of Disaster Recovery into the wider operational resilience framework. I focus on cross-functional coordination, clear ownership structures, and continuous testing to validate readiness across teams. Communication plays a vital role: every stakeholder, from IT to business units, must understand their role and be equipped to act decisively. In my previous article, I had mentioned that Disaster Recovery is to be considered a cultural shift, one that, when embraced and embedded in its culture and governance, ensures that the frameworks not only meet compliance standards but also deliver real-world protection when it matters the most.

Recovery Framework for Cyber Threat

In a sector as exposed to cyber and operational threats as banking, ensuring disaster recovery frameworks meet compliance standards starts with embedding regulatory alignment into every layer of planning. At Bank of Valletta, we adhere to regulations such as NIS2 and DORA, while also integrating operational resilience principles that go beyond minimum requirements. Our documentation is structured, version-controlled, and reviewed at least once annually, with clear ownership assigned across IT, business units, and governance teams, through policies and procedures. We maintain auditable logs, segmented recovery environments, and restoration integrity checks to ensure that our procedures are not only compliant but also defensible under scrutiny.

However, compliance alone doesn’t guarantee protection. To deliver real-world resilience, we simulate realistic scenarios—ransomware attacks, data centre outages, and third-party failures—so our teams are trained to respond under pressure. We prioritise clarity and coordination, ensuring that every stakeholder knows their role and can act decisively. Our disaster recovery plans are housed in a central platform linked to our CMDB, making them accessible and actionable during incidents. By combining regulatory rigour with operational practicality, we ensure that our recovery frameworks protect both the Bank’s reputation and its ability to serve customers without interruption.

Building Awareness and Readiness

I build awareness and readiness by embedding incident response into everyday operations—ensuring that both IT and front-line staff understand their roles through clear documentation, regular training, and scenario-based simulations. We maintain a structured lifecycle that includes planning, detection, response, and post-incident learning, supported by accessible runbooks and cross-functional coordination. This approach fosters a culture of vigilance and accountability, so when disruptions occur, every team knows how to act swiftly and effectively. When it comes to Incident and Problem management, we also hold company-wide training guides and assessments, to try to not only assist end-users, but also to help them realise the importance of correct reporting and prioritisation.

An Advice to Financial Industry Leaders

To move beyond “check-the-box” disaster recovery, financial industry leaders must treat resilience as a strategic enabler, not just a compliance requirement. All too often, I encounter other professionals within the same sector who focus a lot on the regulatory requirements, and not sufficiently on integrating incident and Disaster Recovery into their daily operations. My advice is to embed recovery planning into business decision-making—aligning it with customer expectations, regulatory obligations, and operational realities. Invest in scenario-based testing, cross-functional training, and clear ownership structures so that recovery becomes intuitive, not reactive. True resilience is built when every team understands its role and the organisation can adapt swiftly without waiting for a crisis to validate its plans.