Operational Resilience Framework Community Tabletop Exercise Series

Community Tabletop – Payments Disruption

In March and April, Global Resilience Federation and Nacha held free tabletop exercises to allow organizations to assess resilience after a simulated, but plausible destructive wiperware incident that included a major ACH outage. In addition to IT operations and risk, exercise components included media management, law enforcement and regulatory engagement, and an examination of prioritizations. Players discussed and took simulated action in the emergency as facilitators progressed the exercise timeline and injected additional information. 

The half day event helped to increase operational resilience awareness in the ACH community and build greater maturity through the sharing of cyber risk, resilience and continuity practices. Exercise players needed to triage operations and recovery actions based on a cyber risk control framework, incident response practices, evaluation of critical business services, service delivery, data recovery/restoration and communications plans.

Objectives and expectations included:

• Understanding the impact of a major, extended cyber disruption

• Exploring implications of payments failures

• Gaining a deeper understanding of service dependencies

• Considering rolling impacts like secondary attacks, liquidity issues and customer confidence

• Identifying operational resilience strengths and weak points

• Identifying industry best practices among peers

• Collecting action items to address post-exercise

The exercises were designed for resilience practitioners from commercial banks, credit unions, and core systems processors. A multi-sector exercise will be delivered later this year that extends this scenario to explore operational resilience in a broader ecosystem. A player’s actions may not necessarily reflect their organization’s positions but will offer an opportunity to discuss events and potential solutions. Institutions may also bring observers to watch segments of the exercise as it unfolds. Attendance is anonymous.

The March and April exercises included more than 500 financial services company participants.