To help identify potential risks for financial systems, the Financial Systemic Analysis & Resilience Center (FSARC)—created two years ago by a consortium of financial services firms that includes JPMorgan Chase—has developed a confidential register of nearly two dozen cyber scenarios. These scenarios reflect technological and operational threats that have the potential to cascade from one financial institution through the entire sector.
“By developing a risk register, we can prioritize the systemic risks and build actionable steps to promote the resiliency of the financial sector against these threats,” said Russell Fitzgibbons, Corporate & Investment Bank (CIB) Operations, who works closely with FSARC as their Director of Risk. “When we identify a critical potential event, we look at the interconnected assets, networks and systems to develop plans to provide a path to recovery.”
The risk register is maintained and administered by FSARC. Input and support are provided by the FSARC Risk Committee, which is led by FSARC and the US Treasury, with its committee members representing the 16 participating financial institutions. Rohan Amin, the firm's Chief Information Security Officer and Chief Technology Control Officer, serves as chairman of the FSARC board. FSARC and its members spend approximately six months identifying and analyzing strategies for addressing each scenario, Fitzgibbons said. That analysis drives the development of comprehensive playbooks that address operational, technology, legal and compliance, and customer strategy components.
The initiatives rely heavily on collaboration among its members and other financial sector participants, with engagement and input from more than 100 industry and cyber experts to create resiliency and recovery plans to help mitigate a broad cyberattack. Our Exercises and Social Engineering (ESE) team conducts exercises with FSARC members, financial market utilities and government partners to test the viability of the plans and solutions, and share key learnings. The ESE team has conducted two resiliency exercises with FSARC examining possible disruptions to the wholesale payments system and US Treasury bond markets. The group is planning a third exercise focusing on global messaging systems in early 2019.
“Developing any resiliency and recovery plan is only as good as testing its execution,” said Adam Bulava, Global Head, ESE team. “These types of exercises allow the financial sector and government agencies to collaborate on planning and to validate the effectiveness of recovery and resiliency playbooks.”
Last fall, the ESE team led the first cyber exercise based on the committee’s Wholesale Payments Initiative (WPI) to examine the plan’s viability for a systemic threat on the high-value payments processing system.
The day-long, web-based tabletop exercise tested a simulated multiday outage at a large wholesale payments bank controlled by cybercriminals, looking at the effects on that one firm, as well as the broader market implications.
More than 300 participants from nine financial institutions, two financial market utilities and several government observers took part in the WPI scenario testing, including representatives from payment operations and technology, business continuity, client service, legal, communications and treasury/liquidity.
Each organization participated from its respective offices around the country, identifying and responding to over 120 unique exercise prompts that used real-world artifacts, such as payment messages, industry intelligence bulletins, news reports and adversary social media posts. Participants received an exercise phonebook that included contact information to encourage internal discussions, crisis coordination calls and bilateral communications among the members.
Following the simulation, the ESE team shared the key outcomes with the FSARC WPI steering committee to determine next steps for enhancing resiliency and response planning.
“The WPI exercise was a valuable tool for FSARC and participants,” Fitzgibbons said. “This was the first validation of an FSARC initiative that stress tested the maturing WPI playbook, its utility within the participating firms and its connectivity to other sector playbooks and processes. The testing also provided the various business, technology, operations and business continuity areas within each firm an enhanced perspective on how to improve coordination and communications during a cyber event. Every role counts.”
Successfully combating cyberschemes “isn’t just about knowing who the criminals are and how they will attack,” said Mike Kelly, Head of Cybersecurity and Technology Controls for Commercial Banking. “It also comes from developing long-term collaborations with other financial institutions and the US government to try to stop the schemes and recover.”
A key factor studied by the group is how to coordinate a response if “a sustained event, such as the disruption of wholesale payments systems or the US Treasury bond market, affects one firm or the entire network,” said Lester Owens, Global Head of Wholesale Banking Operations and CIB Client Onboarding. “By evaluating the possible scenarios early, we can test controls and help correct any potential gaps now.”
While the risk initiatives are building plans to ensure resiliency in the event of an attack, the FSARC Intelligence team and its members are building collaboration capabilities with the Department of Homeland Security, US Treasury and the US intelligence community to better defend prioritized critical infrastructure against an attack.
“Our relationship with other firms and the US government increases awareness about cybersecurity and the need to plan,” said Josh Pope, Head of Global Client Service & Implementations and Americas Operations for Treasury Services. “By working together, FSARC and its members identify opportunities to share intelligence and help each other defend against cyberthreats.”
Weekly insights on the economic issues that matter most to your business.