Risk Assessments

Cyber Attack Exercise Planned

Financial Services Industry to Participate in Simulation to Test Security Measures How prepared is the financial services industry in the event of a cyber attack?

The Financial Services Information Sharing and Analysis Center (FS-ISAC), a national industry forum, will conduct Cyber Attack Against Payment Processes (CAPP), an exercise to measure the ability of financial institutions, payment processors, businesses and retailers to respond and recover from major cyber incidents.

The nationwide simulation exercise, slated for February 9-11, will be in the form of a virtual tabletop exercise, similar to what the industry did during the pandemic preparation testing in 2007, says Bill Nelson, FS-ISAC's CEO and president.

"We are pleased with the industry response and support we have received for conducting the CAPP exercise," says Nelson. He adds that support for the event has already come from NACHA and the Regional Payments Associations, American Bankers Association, Independent Community Bankers Association, Association for Financial Professionals, U.S. Chamber of Commerce, BITS Financial Services Roundtable, Federal Reserve Retail Payment Office and FS-ISAC membership, including the Payments Processor Information Sharing Council.

Main Objectives
The exercise is open to all in the industry. The exercise's goals are:

  • To raise awareness, educate, and test the ability of financial services firms, card processors, businesses and retailers to respond to major cyber attack incidents;
  • Make recommendations for improvements to cyber incident response procedures;
  • Evaluate and develop appropriate risk mitigation recommendations in response to the cyber payments attacks used in the exercise;
  • Engage participants going forward on the need to share threat, vulnerability and incident information;
  • Develop an after action report that can be used for workshops, webinars and ongoing educational sessions regarding the lessons learned from the exercise.

The industry-wide exercise comes a little over one year after news of the Heartland Payment Systems breach was made public. That breach of an estimated 130 million accounts, thought to be the largest breach ever reported, is one of the unstated reasons for the exercise, along with the increasing number of cyber attacks being made against U.S. government computer networks and infrastructure.

Three Different Attacks
The exercise is designed to present a new attack scenario to participants on each of the three days. "Participants will activate their own internal response procedures based on the scenario received, and will complete an anonymous survey provided with the scenario to evaluate their emergency response," Nelson says. At the end, FS-ISAC will share the aggregated data with participants and identify key lessons learned, areas for improvement, and recommended best practices.

"When cybersecurity threats occur, swift and well-planned reactions can mean the difference between business continuity and business catastrophe," says Nelson. "This is especially true with cyber attacks against payment processes."

Banks, credit unions, other financial institutions, retailers, card processors and businesses of all sizes are invited to participate in the exercise. Nelson There is no charge to take part in the exercise, and participants will receive an after-action report including best practices and mitigation techniques. For more information, visit www.fsisac.com/capp. Deadline to register is January 29.


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network