Skip to main content


FDIC Resource: A Community Bank Cyber Exercise

FDIC Resource: A Community Bank Cyber Exercise

If you weren’t already aware, the FDIC has created a series of educational videos for both the Director-level and the Officer and Employee-level of its financial institutions designed to give additional insight and training around supervisory focus areas. The Technical Assistance Video Program (TAVP) can provide an excellent addition to your annual security awareness training catalog, or if your Board of Directors needs to go through some additional cybersecurity awareness training, this is a good starting point. 

Recently, the FDIC updated a section of its TAVP called the “Cyber Challenge: A Community Bank Cyber Exercise.” The goal of this resource is to encourage institutions to discuss the potential threats and the impact of disruptions on common banking functions, especially as it relates to operational risk. The FDIC covers nine (9) different scenarios in short vignettes (YouTube videos, in case you’re wondering what a “vignette” is), ranging from disaster recovery to vendor-related incident response issues. Each vignette also includes challenge worksheets designed to stimulate discussion. Including these exercises in your tabletop discussion can improve how the Business Continuity, Disaster Recovery, and Incident Response plans work together and are updated.  At the very least, these vignettes provide additional new scenarios to talk through at the annual tabletop testing.


Bringing Together Business Continuity, Disaster Recovery, and Incident Response Plans

Discussing a range of Business Continuity, Disaster Recovery, and Incident Response scenarios will aid in addressing areas of your plans that may have been overlooked or offer a new perspective on these types of threats. Any new findings can then be incorporated into your respective plans, helping to increase resilience through the addition of new procedures or controls where applicable. Chaining together Business Continuity, Disaster Recovery, and Incident Response scenarios, you can create a tabletop where not only is Business Continuity a priority, but one that also touches on the ability to provide Incident Response at the same time. Luckily, the scenarios created by the FDIC play into each other very well.  In some of the cases, you can combine the entire Business Continuity, Disaster Recovery, and Incident Response exercises into one larger incident, therefore effectively killing two birds with one stone (or at least testing two plans at one time).


The Scenarios

The FDIC’s nine (9) short Cyber Challenge vignettes and challenge questions cover:

  1. A new Item Processing service provider cannot process the volume of transactions generated by the bank
  2. A corporate customer reports unauthorized withdrawal on its account
  3. Bank staff receive a phishing email that appears to have been sent by the institution’s president
  4. Unforeseen issues after the financial institution’s service provider implemented a major software update
  5. The bank’s IT manager investigates a possible DDoS attack and discovers a second attack stealing data from the institution
  6. ATM malware reveals deficiencies in a bank’s service provider contract
  7. Ransomware outbreak due to a cyber attack
  8. Communications problems due to the bank’s data center flooding
  9. A third-party software update infects the bank’s systems, disrupts core processing, and steals data

This FDIC also provides guidelines and ground-rule suggestions, including having a facilitator who is:

  • A neutral party that provides structure to the meeting
  • Guides information-sharing among the participants
  • Ensure that discussions move forward and are focused on the issue at hand



The FDIC has done a really nice job putting together these video training scenarios to help facilitate discussion around your Business Continuity, Disaster Recovery, and Incident Response plans. If you are not currently testing your plans regularly, or if you’re in need of some new testing material, be sure to check out these Cyber Challenge scenarios, along with the rest of the FDIC’s Technical Assistance Video Program.

Also, if your Directors could use some additional training, be sure to share with them the “Videos for Bank Directors.”


Written by: Eric Chase
Information Security Consultant
SBS CyberSecurity, LLC

SBS Resources:

  • {Services} Consulting: A successful Business Continuity, Disaster Recovery, and Incident Response tabletop test should yield both ideas on how to make existing plans stronger and provide insight to issues that may have not been considered before. Combining instances of each area can create unique and challenging exercises that will ensure that a real incident is handled more efficiently.


Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.

Certified Banking Incident Handler ​  Certified Banking Business Continuity Professional

Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Friday, November 16, 2018
Categories: Blog