The Financial Sharing and Analysis Center (FS-ISAC) conducted the latest Cyber Attack against Payment Processes (CAPP) Exercise on March 12-13 and 19-20, putting 67 corporate participants’ cybersecurity preparedness to the test.
The CAPP exercise seemed to center on how treasurers would maintain normal business in the wake of a bank closure due to malware attack, one participant said.
Fred Butterfield, CTP, treasury manager at Trust Company of America, told AFP that one of the biggest discussion points he had when comparing notes afterwards with two other participants was what they learned about their business continuity/disaster recovery plans. “The perspective of the exercise was that the bank closed the corporate access to online accessibility due to the malware infecting the corporate workstation, and required some kind of certification that the malware had been dealt with before reinstating the connection,” he said. “This meant that the connection could be ‘down’ for several days and/or weeks. We also discussed how we would fund necessary business activities if we couldn’t get to our banks in the manner we usually use, including not just A/P and payroll, but debt payments and other large transactions.”
Charles Bretz of Bretz LLC and director of payment risk for FS-ISAC told AFP that participants were “heavily concentrated in the insurance and finance industries.” He added, “The incident response teams for the firm represented, on average, about eight different functions within the firms.”
Full results of the exercise, which are confidential, will be sent to all participants in mid-April. CTP/CCM certificate holders that participated earned continuing education credits.
Butterfield noted that the possible compromise of customer information brought in other departments beyond treasury and IT, such as marketing and legal—and with them came additional considerations. “One of the comments heard was that a message could be sent out to the customers very quickly, but that it would take many hours, if not days, to prepare that message,” he said.
The exercise made it clear to participants that not all of the information was available in the first minute, yet various decisions had to be made right away, Butterfield added. “Some facts didn’t come to light until hours or days after the malware problem was discovered, and brought with them the need for more communication and decision making,” he said. “It really highlighted the fact that a situation of this kind really involved much of the company. A communication plan was an absolute necessity to keep the company viable and functional during the crisis.”
Butterfield also participated in the 2010 CAPP exercise, which had a different focus than the new one. “The first exercise focused on the impact of having the treasury workstation(s) and network down—how many machines might be infected, how long it might take to clean them, etc.,” he said. “The second exercise focused on the impact to the company of the Treasury connection being down—fraudulent wires and ACH, data breach, investigations, etc.”
Neither exercise really went into details on malware, although both had information about how the malware may have gotten onto the company workstation, Butterfield added. “The exercises were more of a business continuity/disaster recovery discussion than malware education, with the first just being treasury (mostly) and the second being more about the enterprise,” he said.
Butterfield, Bretz and FS-ISAC President and CEO Bill Nelson will discuss the findings for the CAPP exercise in a session at the 2013 AFP Annual Conference in Las Vegas this October. “There were many valuable lessons learned as a result of the exercise, and more to come as results are analyzed and examined,” said Butterfield. “I am looking forward to sharing as many of them as I can during my session at AFP Annual 2013.”
Register for the 2013 AFP Annual Conference here.