Simulation Designed to Help Test Defenses
By Tracy Kitten, September 23, 2013
More than 1,000 banks will test their incident response strategies by participating in a simulated cyber-attack exercise. SWACHA's Dennis Simmons says the drill, which is open to more participants, will help bolster defenses.
Banks are interested in testing their defenses in the wake of recent cyber-attacks, says Simmons, president and CEO of SWACHA, a regional payments association. Those attacks include account-takeover attempts linked to phishing and ACH and wire fraud, as well as distributed-denial-of-service attacks that are sometimes waged as modes of distraction to veil fraud.
"[The simulation] helps an institution understand its own internal communication and internal response to these types of incidents," Simmons says in an interview with Information Security Media Group. And the drill can help banks and credit unions update their cyber-attack response plans.
Educating banking institutions about the possible risks they face during a cyber-attack is a goal of the simulated attacks, he says. For example, he points out: "The bad guys may launch a DDoS attack to divert attention [so they can] hijack an account or initiate fraudulent wire transfers."
Open to More Participants
Banks can still sign up at the FS-ISAC website to participate in the two-day drill in October, which is sponsored by SWACHA, along with NACHA-The Electronic Payments Association; the Financial Services Information Sharing and Analysis Center; and numerous state banking associations.
Banking institution employees participating in the simulated attacks will be e-mailed attack scenarios and then asked to develop response strategies, he explains. "It's a tabletop exercise. All you need to participate is an e-mail address and telephone."
During this interview, Simmons discusses:
Communication challenges banking institutions face in the wake of a cyber-attack;
Why payments breaches and network vulnerabilities are getting more attention; and
How law enforcement is working with SWACHA, FS-ISAC and others to encourage more cyberattack simulations.
As head of SWACHA, Simmons is a nationally recognized payments expert. He serves on the board of directors for NACHA. He's chairman of NACHA's Government Relations Committee, past chairman of NACHA's Electronic Check Council and past co-chairman of NACHA's Risk Management Advisory Group. He also is the immediate past chairman of the Payments Executives Leadership Forum. He is a founding member of the board of directors of the Secure Remote Payment Council and a member of the advisory council and faculty of the Bank Operations Institute at Southern Methodist University.
FS-ISAC CAPP Exercise for Financial Institutions
FS-ISAC Financial Institution CAPP Exercise
October 16 - 17, 2013 and
October 23 - 24, 2013
These CAPP Exercise sessions are designed for financial institutions that provide payment services. For more information, click here for a downloadable summary.
What would your financial institution do in the event of a cyber attack on your online banking environment?
Over a two-day period in the fall of 2013, the Financial Services Information Sharing and Analysis Center (FS‐ISAC), in conjunction with the Payments Risk Council (PRC), is conducting a simulated attack on payment processes to help you assess your company’s readiness in the event of such an attack or event.
A similar exercise was conducted in 2012 that helped the industry identify ways to prevent, detect and respond to cyber attacks against payment processes. In a time when account takeovers, breaches at technology companies, denial of service attacks and other cyber‐crimes are affecting the industry, it is imperative that your company knows how to react if it happens to you.
Your organization can’t afford to miss the 2013 CAPP Exercise.
CAPP Exercise Benefits
By participating in this simulated cyber attack exercise, your organization will be able to:
Evaluate your current risk mitigation procedures related to cyber attacks and identify potential critical gaps in planning
Engage in a live test of your incident response team’s ability to respond to major incidents
Raise awareness and educate your staff regarding procedures to respond to complex threats
Benchmark your business practices based on the responses of other firms
Develop appropriate risk mitigation recommendations in response to the types of attacks used in this exercise
Receive an after‐action report highlighting lessons learned from the exercise and category benchmark results
Demonstrate regulatory compliance
When will this take place?
Choose from one of two weeks:
October 16–17, 2013 - Registration Deadline: 10/9/13
October 23–24, 2013 - Registration Deadline: 10/16/13
Who should participate?
Financial institutions that provide payment services and are exposed to cyber attacks.
How much will this cost?
Participation is free.
How do I register?
You may register by using This Link.
How much time will this take to complete?
The exercise will be conducted over two consecutive days and the concluding survey will require less than one hour each day to complete
You will receive each day’s scenario in the morning and we ask that you complete the survey portion by 12:00 midnight EST
Organizations may wish to use this as an opportunity to conduct a drill within their own company - time requirements will vary
What does our financial institution get out of participating?
Your institution's incident response team will be able to evaluate your readiness if faced with a cyber attack. All participants will receive a summary of the exercise results.
What is the Payments Risk Council?
The Payment Risk Council’s goal is to share payment risk information for ACH, checks and wire payments as well as best practices to mitigate payment risk. PRC members are financial institution risk professionals, NACHA risk staff and ACH regional payment association managers.
Will this be an actual vulnerability test of my system?
No, this exercise is only a simulation. Each day of the exercise you will receive an email with that day’s scenario, a link to a broadcast of information about the scenarios and a series of questions for your organization to answer. When you are ready to answer the questions, you can click on the link to the survey tool to answer the questions for that day.
Will my organization's information be published?
No, all participants and their input will be anonymous.
If my organization is not a member of FS-ISAC, can we participate?
Yes, this exercise is for the benefit of all organizations involved with payments.
Will the exercise require any special software?
No, you will only need an internet connection and email. You will be provided a link to an online survey tool called Survey Monkey where you will enter your responses.
What type of job functions should participate in the exercise?
IT Risk, IT Operations, Line of Business Managers, Call Center Management, Online Banking Managers, Treasury Managers, Legal and Compliance, Corporate Communications and any other function in the financial institution that would respond to a cyber attack against the institution.
What will my organization have access to when the exercise is completed?
You will have peer data to compare through an interactive after action report. Again, all company information will be kept confidential.
How can I use the results to benchmark my own organization’s performance?
Data will be available to you to sort by industry type, geographical location or size.
What is FS-ISAC?
The Financial Services Information Sharing and Analysis Center was launched in 1999. The FS‐ISAC was established by the financial services sector in response to Presidential Directive 63 from 1998. That directive – later updated by Homeland Security Presidential Directive 7 in 2003 – mandated that the public and private sectors share information about physical and cyber security threats and vulnerabilities to help protect the U.S. critical infrastructure