Tabletop exercises help bank leaders prep for cybersecurity risks.
By Khalil Garriott
As technological benefits in banking evolve at a breakneck speed — far more customers prefer mobile banking than in-branch transactions, for example — myriad challenges have arisen in parallel.
A top priority for financial institutions is preparing for cybersecurity threats to their critical infrastructures. The intrinsic skill set of risk assessment, measurement and management that is part and parcel of being a banker, operating in such a highly regulated environment with even more stringent regulations on the horizon, is useful when navigating this particular type of risk.
Cybersecurity risks recently have been elevated by the prevalence of artificial intelligence — specifically, generative AI tools. Although new, that is hardly the lone risk type that has challenged business continuity for banks.
Also on that list in recent years is the set of organizational lessons learned from the COVID-19 pandemic. And going back further, some devastating major events over the past quarter-century have caused sizeable disruptions. Add to that the gamut of constantly updated financial regulatory requirements and expectations, and it’s a daunting evolving risk management formula for banks.
Mary Callahan Erdoes, CEO of JP Morgan Asset & Wealth Management, said January 17 at Davos that her bank suffers 45 billion attempted cyber attacks a day.
“Banks continue to face numerous cybersecurity risks from a variety of adversaries that include organized criminal enterprises, nation-states and trusted insiders,” says John Carlson, SVP for cybersecurity regulation and resilience at ABA. “Their motivations include financial gain, ideological reasons, espionage, terrorism/sabotage and warfare.”
Carlson, with prior private and public sector leadership roles in his background — including at Amazon Web Services, Morgan Stanley, the OCC, the U.S. Office of Management and Budget and the Federal Reserve Bank of Boston — teaches a course as part of ABA’s Risk Management Schools. He is uniquely suited, as a recognized subject matter expert in cybersecurity, on the topic of tabletop exercises — an industry-wide collaboration between the U.S. Treasury and the financial services sector.
Setting the table
Tabletop exercises, sometimes called “TTX,” are dialogue-based sessions to discuss team roles during a scenario and their responses to a particular emergency situation. They can add immense value to any bank’s risk management practice. The value of these tabletop exercises include:
- Raising internal awareness of cybersecurity issues.
- Gaining participation outside of the IT department.
- Achieving continual improvement of the institution’s incident readiness and response.
- Verifying that the appropriate teams know their roles in case of a real incident.
- Improving communication and coordination among internal and external teams.
- Displaying to management and the board that a plan is in place, staff members know how to execute it, and when to escalate.
- Demonstrating regulatory compliance and preparedness.
Several stakeholders have a hand in a bank’s TTX — obvious departments like IT, legal and human resources — but also operations, corporate communications and property management personnel. An incident response process should provide role clarity among these stakeholders: Who has oversight of the incident? Who has the authority to make difficult snap decisions? Who decides when it is necessary to escalate? Are decisions made via consensus or by sole decision-makers with certain influence?
“Robust incident response and recovery planning is invaluable for several reasons,” Carlson says of tabletop exercises. “It helps firms to understand their most valuable assets, risk tolerances, reliance on critical vendors and processes that must be in place and tested. It lays out escalation processes for responding to an incident, including responsible parties.
“It’s also a regulatory requirement.”
After banks outline answers to these questions, as well as many more details in their security incident response plans, an outside facilitator or third party should review it before undertaking the exercise. Carlson recommends that the reviewer have a technical understanding and the ability to speak to the C-suite. He says the facilitator should encourage staff to key in on each step’s outcomes and objectives rather than on the overall scenario itself.
Building ‘muscle memory’
Cameron Dicker, director of global business resilience at FS-ISAC, has helped design more than 100 tabletop exercises and has facilitated dozens since 2014. He cites the development of organizational “muscle memory” during the exercise, which will inform the response if the risk becomes an incident.
“It is through ‘muscle memory’ and a well-established plan that organizations are able to withstand and be resilient to the sophisticated and rapidly changing risk environment that financial institutions are in today,” Dicker says. “Tabletop exercises also serve an important role in training and education for senior decision makers, boards and business line staff. Tabletops provide a safe, no-fault environment for people to practice the organization’s response plans, ask questions, and familiarize themselves with how the incident response works outside of their particular area of responsibility.”
Andy Jabbour, founder, president and managing director of Virginia-based Gate 15, has designed and facilitated hundreds of tabletop exercises with government agencies and private sector firms over the past 17 years. He says they’re vital for all organizations, including banks, to ensure that plans, procedures and communications are effectively developed, practiced and executable.
“Typically, workshops precede tabletops and are more developmental,” Jabbour says. “TTXs are more confirmation that those roles and responsibilities are complete, functional and understood. We’ve seen organizations recently enduring cyberattacks — including Christmastime ransomware attacks — who were able to more effectively respond because they had already done the work with their teams.
“And that’s not just security teams and responders, but TTXs need to be held with the C-suite and other critical stakeholders as well,” he adds.
While tempting to play the blame game, it is more constructive for bank leadership to identify gaps in the plan and provide resources that teams will need, should an incident occur. Additionally, tabletop exercises help banks create plans around communication with the general public, in the event of an incident, to ensure a coordinated response.
“A lot of times, organizations don’t get started because they think they don’t have time or budget to do it,” Jabbour says. “On time: The reality is that proper preparedness and investment into resilience, to include tabletop exercises, saves critical time when the incident comes. Leaders don’t have time to not hold regular tabletop exercises (and in many cases, need to be compliant with their cyber insurance policies).
“On budget: If you can’t afford external assistance, you can do it yourself. There is guidance on how; you just need to designate a champion and put them to work.”
Impacts to business continuity
Over the past quarter century, a litany of drivers has affected banks’ operational risks. In the 2000s, data breaches, identity theft and patch management made headlines. From 2019 to 2022, ransomware attacks did considerable damage. During 2020-22, the COVID-19 pandemic resulted in a rapid shift to work from home policies and increased banks’ reliance on cloud computing. And beginning in 2022, Russia’s war on Ukraine led to sanctions and concerns about cyberattacks.
These seismic occurrences underscored the need for stability and best practices. Everything from governance, preparation, analysis, mitigation, restoration, improvement and communication has had its turn under the regulatory microscope. Banks must notify their regulator as soon as possible, and no later than 36 hours after determining that a computer-security incident that materially has (or could) disrupt or degrade operations has occurred.
Service providers to banks must notify at least one bank-designated point of contact at each affected bank as soon as possible. Additionally, the June 2023 guidance issued by the Federal Reserve Board, FDIC and OCC on third-party risk management describes principles and considerations for banking organizations’ risk management of third-party relationships. It covers risk management practices for all stages: planning, due diligence/third-party selection, contract negotiation, ongoing monitoring and termination.
With illustrative examples to aid community banks in aligning their risk management protocols with their third-party relationships, the guidance creates consistency in agencies’ oversight of third-party risk management.
Dicker says, “Being a resilient organization is less about having a plan for every eventuality and more about having well-trained staff members who understand their roles during a disruptive event — and how it fits into the larger response to keep operations up and running.”
Lessons learned
As Carlson teaches in his course, the management of business continuity starts at the top with senior bank leaders, who must make decisions quickly and seek board support. During a cybersecurity incident, they should first focus their business impact analysis on resilience and the capacity to respond and restore critical services. Resource dependencies for essential processes and established metrics should be defined in the analysis.
“CEOs should also conduct a risk assessment to evaluate the likelihood and impact of potential disruptions and events,” says Carlson, citing natural disasters, technological failures, adversarial incidents (such as a cyberattack or ransomware) or a combination of those. Once a robust plan is in place, bank leaders should train and educate their staffs on the plan and its goals as well as conduct exercises and test the plan. Contact lists should be updated quarterly and incident response plans yearly.
“It’s essential to have a business continuity management plan in place before a cyber event happens, and it’s a regulatory requirement for banks,” says Carlson.
It is key to learn from actual incidents experienced by the bank and others, and thereafter reviewing and updating incident response plans. When a business disruption occurs, whether a cyberattack on the bank or to a third-party service provider, preparedness and protection strategies could represent the delta between a wholesale catastrophe and manageable impact.
Within challenge lies opportunity.
“A successful exercise does not always mean that participants succeeded in their response efforts,” Dicker says. “The exercises that organizations learn the most from are the ones that stress their capabilities and uncover gaps. It is also not enough to do an exercise and then declare success. The actual exercise delivery is only a small part of a successful exercise. After the exercise, there needs to be some documentation of what was learned and actionable recommendations for improvement.”
The risk road ahead for U.S. banks is not only unpredictable domestically; it is also ambiguous abroad. Despite the unanticipated nature of crises, planning is critical — as are simulations to affirm that strategic plotting.
If the Basel III endgame is finalized as proposed, they would eliminate the practice of relying on banks’ internal risk models. (The new rulemaking would take effect for three years beginning on July 1, 2025.) Unprecedented external challenges also will have profound effects on the future. Ongoing wars in Ukraine and Gaza, as well as the U.S.’s foreign policy developments with other countries during a presidential election year, could result in extreme risks affecting the banking sector.
“Even community banks are expected to have a framework in place for geopolitical risk, whether domestic or international,” says Adrian Ungureanu, managing principal at the management consulting company Capco.
Keeping pace with regulatory compliance can be quite an undertaking.
“Not that any of these reporting requirements are insurmountable, but they just require a lot more energy and effort,” says Bruce Lowry, CEO of Ireland Bank in Malad City, Idaho. “Banking is very labor-intensive anyway. Regulatory issues are stacking on top of activities that don’t generate any revenue and just put further challenges on profitability.”