VII.H Industry Exercises and Resilience
Given the potential for and nature of widespread and systemic disruptive events, public and private sector groupsPublic and private groups include the FS-ISAC, Financial Services Sector Coordinating Council (FSSCC), Financial Systemic Analysis & Resilience Center (FSARC), Financial and Banking Information Infrastructure Committee (FBIIC), and some regional coalitions. conduct exercises with their members to verify resilience across the financial industry. These exercises simulate significant regional or industry-wide emergencies, and members are encouraged to use backup sites and test their recovery capabilities. In addition to financial institutions, these coordinated tests often include participation by third-party service providers and government agencies. There are several methods for entities of all sizes to participate, such as through third-party service provider user groups or industry initiatives. For example, industry initiatives include the U.S. Department of the Treasury’s Hamilton Series (national and regional series) and the FS-ISAC’s Cyber-Attack Against Payment Systems (CAPS). The results of these exercises are usually available to members of industry and regulatory groups, and summaries may be available to the public.
Examiners should understand that opportunities to participate in such exercises may be limited. The Financial Sector Cyber Exercise TemplateRefer to the U.S. Department of the Treasury’s Financial Sector Cyber Exercise Template. is publicly available from the U.S. Department of the Treasury, and management can use it to help verify the entity’s own response capabilities and evaluate how it would respond during similar situations. Additionally, the template and results may be used as resources to validate exercise and testing assumptions and scenarios.
VII.I Third-Party Service Provider Testing