CSI Resources

man in the middle of a maze

Has Your Bank Performed a Cyber-Incident Simulation Test Yet?

  • by Tyler Leet
  • Oct 13, 2016

For years, banks have been expected to test their business continuity plans. But now, with cybersecurity becoming a bigger and bigger priority in the financial industry, the lines between your cyber-incident response program and business continuity plan (BCP) are becoming blurred and combined.

In fact, the FFIEC now requires financial institutions to review, update and test incident response, as well as their business continuity plans. And though you might not yet be aware of this requirement, you’re soon going to see a regulatory push for simulation testing as the risks related to cyber-incident response trickle down to examiners. In recognition of National Cybersecurity Awareness Month, let’s take a hard look at testing cyber-incident response plans.

FFIEC Statement on Destructive Malware

Last year, the FFIEC released a statement to notify financial institutions of increasing cyber threats involving destructive malware. The FFIEC suggests that financial institutions consider taking numerous steps in accordance with regulatory requirements and FFIEC guidance, including the following:

Review, update, and test incident response and business continuity plans. Test the effectiveness of incident response plans at the financial institution and with third-party processors to ensure that all employees, including individuals responsible for managing liquidity and reputation risk, information security, vendor management, fraud detection, and customer inquiries, understand their respective responsibilities and their institution’s protocols. Conduct an exercise at the financial institution that simulates a cyber attack involving destructive malware. –FFIEC Joint Statement, Destructive Malware

As part of the updated guidance, financial institutions are now expected to test incident response plans by simulating a cyber attack. You can also anticipate examiners—as well as the information security industry as a whole—to embrace the concept of “cyber resiliency.” In short, cyber resilience is the marriage of information security and business continuity. Because of this, your incident response should be incorporated with your BCP.

2 Ways to Perform Cyber-Incident Simulation Testing

There are two prominent types of cyber-incident simulation tests your financial institution may perform: 

  1. Table Top Test

    Considered a rudimentary test, during a “table top” simulation, your financial institution will collaborate with third-party cybersecurity professionals to discuss a theoretical cyber-incident by developing a scenario, introducing that scenario around the table and then slowly releasing additional information. As a bated test, you’re not sure how the attack is going to unfold—it’s your financial institution’s job to determine how it would react and the steps you would take to withstand the cyber attack.  

  2. Functional Test
  3. In a functional test, your financial institution will collaborate with third-party cybersecurity professionals to launch an attack by simulating a destructive malware attack. You may launch such offensive security services as social engineering testing or penetration testing, which test your controls by trying to gain access to your systems. This type of sophisticated testing will determine if your financial institution is able to detect the attack and then measure how well your staff follows procedures and uses controls.

Both types of cyber-incident simulations test your financial institution’s response and ability to withstand a cyber attack, and help verify that you have an accurate incident response plan in place. The insight gained through testing illustrates how well your controls perform when under attack and test the effectiveness of your financial institution’s cyber-incident response plan when collaborating with a third party. 

Why is Cyber-Incident Simulation Testing Important?

Cyber-incident simulation testing is like buying insurance—you hope you never have to use it, but, in the event that you do, you’re beyond ecstatic to have it in place. That’s because no matter how thorough your BCP or incident response documentation is, if you never test and put those ideas into practice, how do you know that your plans are going to function at all?


Tyler Leet serves as director of Risk and Compliance Services for CSI’s Regulatory Compliance Group. With more than a decade of experience in the information security, risk and compliance industries, Tyler oversees and participates in the development and maintenance of the risk and compliance-related services conducted for a wide variety of financial institutions and organizations in other vertical markets. He frequently speaks at conferences and seminars and is often cited in industry publications.