Date: 6 June 2024
Cyber Attack Tabletop Exercises are critical to business continuity and recovery after cybersecurity incidents. Their importance is regularly reiterated by regulators and insurers across the world who demand proof of consistent cybersecurity incident scenario testing. This is no surprise given the massive rise in a wide range of security incidents, ransomware attacks and breaches of sensitive information. And the implications of such attacks and breaches only magnify in the world of financial services.
With all the talk around the EU DORA that comes into force in January 2025, it’s important to remember that the UK’s Financial Conduct Authority too, requires exacting standards of operational and business continuity. It also mandates demonstration and validation of the same. Financial businesses that seek to be compliant with the UK Financial Conduct Authority (FCA) need to demonstrate their commitment to business continuity with regular 'scenario testing' exercises.
Topics covered in this article:
1. What does Scenario Testing Entail?
2. FCA's Exact Requirements for Scenario Testing
3. How to Conduct a Successful Scenario-based Test?
The FCA & Incident Response Scenario Testing
Incident Response Scenario Testing helps you scrutinise the effectiveness of your existing cyber incident response plans and the key staff members' familiarity with them and their individual roles and responsibilities.
The FCA also focuses on identifying areas for improvement, lessons learned and ultimately creating confidence in the business's security posture. After the testing, firms are expected to review the outcomes diligently and update their cyber resilience plans accordingly. This approach aligns with the FCA's broader objective of ensuring that financial markets function well and that consumers remain protected. However, regular tabletop testing will yield many immediate benefits to your business beyond compliance which we’ll come to later.
In the next few sections, we show you how to fulfil the FCA’s Cyber Security Requirements and how to successfully conduct operational resilience testing with simulations of cyber tabletop exercise scenarios. But first let us understand what the FCA says about regular Cyber Tabletop Exercises.
FCA’s Exact Requirements for Scenario Testing
The Financial Conduct Authority, the conduct regulator for financial firms and financial markets in the UK, places a high degree of importance on tabletop testing as a part of firms' operational resilience strategies.
In the FCA Handbook’s section titled Senior Management Arrangements, Systems and Controls (SYSC), Chapter 15, Rule A.5.3 is dedicated to Scenario Testing. Here is what it says, “A firm must carry out scenario testing, to assess its ability to remain within its impact tolerance for each of its important business services in the event of a severe but plausible disruption of its operations.”
Guidance 15.A.5.2 says that firms must pay attention to the type of scenario being tested, the frequency of testing, how the firm will communicate with important stakeholders about operational disruptions, amongst many other things.
Essentially, the FCA guidelines mandate that regulated financial institutions conduct these tests to examine and validate their business continuity plans, cyber incident response plans, and recovery strategies. These cyber tabletop exercises, when conducted professionally, aim to uncover vulnerabilities in a controlled environment and ensure that all staff members are familiar with procedures to follow during actual operational disruptions.
Conducting Successful Cyber Scenario Testing Exercises
It is obviously clear now that to maintain adherence to the Financial Conduct Authority (FCA) standards, it is imperative to conduct effective yet comprehensive cyber testing drills.
However, running an effective cyber attack simulation drill can be overwhelming for the average business and their internal security teams.
This is where bringing an expert external facilitator on board, such as Cyber Management Alliance, can be really helpful. We have helped over 300 businesses achieve their cyber resilience goals and compliance with various regulators’ directives through our globally-recognised Cyber Crisis Tabletop Exercises. What makes us stand out in the market is the fact that our scenario testing exercises are designed and often conducted by the world’s most experienced cyber tabletop facilitator.
Some of the ways in which our Cyber Crisis Simulation Drills stand out in the market include:
- Bespoke Scenarios: As mentioned in the FCA guidelines, the scenario for which you’re testing must be given the right consideration. We design bespoke scenarios for clients that are specific to their business, its size, industry etc. They mimic real life and the kind of chaos that will often ensue after a cyber-attack.
Without professional and relevant scenarios, the testing exercise can be pretty futile. Not only will it fail to adequately engage your audience, it will also not lead to the desired outcome of really judging your organisation’s ability to deal with a security incident.
- Detailed Planning: Our Facilitators spend a lot of time with a point-of-contact from the client’s end to plan the exercise meticulously. We believe that if you fail to plan, you may as well plan to fail. This adage applies to both cybersecurity preparedness and the success of your tabletop exercise.
Fact finding is really important to the success of your exercise. We conduct a comprehensive analysis of current cyber threats, leveraging intelligence gleaned from both internal and publicly available sources including your existing penetration tests and audit reports. This leads to a well-planned and targetted exercise.
- Curated for different audiences: We firmly recommend all our clients to clearly define the audience for whom they wish to organise the Cyber Tabletop Drill. Based on the participants selected, we offer three different types of crisis simulation exercises - Executive, Operational and Technical Tabletops.
The Executive Cyber Tabletop Exercise is brief and focussed on executive action, leadership, and decision-making during a crisis. The technical cyber drill is focussed on technology controls while the operational cyber drill emphasises business continuity after an attack.
- Professional Recommendations for Improvement: Lessons Learned is an important component of the FCA Guidelines. Rule 15.A.5.8 states: “A firm must, following scenario testing or, in the event of an operational disruption, after such event, conduct a lessons learned exercise that allows the firm to identify weaknesses and take action to improve its ability to effectively respond and recover from future disruptions.”
Our focus on Lessons Learned is paramount. After each exercise, we have a debriefing session during which participants have the opportunity to engage in discussions and share their experiences regarding the challenges encountered. Additionally, we create a comprehensive Executive Summary that contains an objective and meticulous analysis of the exercise. We also have a formal maturity score assessing your breach readiness across ten distinct areas, graded on a scale of 1 to 5.
