Purpose
The FDIC created “Cyber Challenge: A Community Bank Cyber Exercise” to encourage community financial institutions to discuss operational risk issues and the potential impact of information technology disruptions on common banking functions.
Using nine unique scenarios, the Cyber Challenge helps start an important dialogue among bank management and staff about ways they address operational risk today and techniques they can use to mitigate this risk in the future. The Cyber Challenge is not a regulatory requirement; it is a technical assistance tool designed to help assess operational readiness.
Background
Financial institution management is typically well versed in addressing traditional banking risks such as interest rate, liquidity, and credit risk. Addressing certain operational risks, however, may be more challenging, since threats to information technology and related operations of banks are increasing and evolving.
Community financial institutions may be exposed to operational risk through internal or external events ranging from cyber attacks to natural disasters. Regardless of the cause, operational risks can threaten an institution’s ability to conduct basic business operations, affect its customer service, and tarnish its reputation.
Objectives
The Cyber Challenge is designed to help financial institution management and staff discuss events that may present operational risks and consider ways to mitigate them. It can provide useful information about an institution’s preparedness and identify opportunities to strengthen the bank’s resilience to operational risk.
Overview of the Exercise
The Cyber Challenge consists of nine short video vignettes and related challenge questions. Each video vignette depicts a unique scenario. The challenge questions for each vignette are designed to help bank management and staff think about how they would respond to the scenarios. Also included are lists of reference materials participants can turn to for more information.
Suggested Guidelines and Ground Rules
Institutions may use a free-flowing or facilitated discussion of the vignettes. Here are guidelines for organizing a discussion and suggested ground rules. Participants in the Cyber Challenge should treat it as a data-gathering event and follow a non-attribution policy. Participants may want to record their discussions during the exercise to help compile lessons learned and identify areas for improvement.
- Vignette 1 Farmers & Merchants Bank of Dauerville
Item Processing Failure
A new item processing service provider cannot process the volume of transactions generated by the bank. - Vignette 2 Farmers State Bank of Robertsburgh
Customer Account Takeover
A corporate customer reports unauthorized withdrawals on its account. - Vignette 3 The State Bank of Town City
Bank Internal Error/Phishing and Malware Problem
Bank staff receive a phishing email that appears to have been sent by the institution's president. - Vignette 4 People's State Bank of Morello
Technology Service Provider Problem
Problems ensue after the financial institution's service provider updates its system. - Vignette 5 Farmers Bank of Westburg
Distributed Denial of Service (DDoS) Attack
The bank IT manager investigates a possible DDoS attack and discovers a second attack that steals data from the institution. - Vignette 6 Farmers State Bank of Robertsburgh
Automated Teller Machine (ATM) Malware
ATM malware reveals deficiencies in a bank's service provider contract. - Vignette 7 People's State Bank of Morello
Ransomware
A cyber-attack has taken place, and important files are being held for ransom. - Vignette 8 Eau Rapides Bank
Flood
Communications problems ensue after the bank’s data center floods. - Vignette 9 Bank of Lieferkette
Supply Chain
Third-party software update infects the bank’s system, disrupting core processing and steals data.