FS-ISAC Cyber Attack (against) Payment Processes (CAPP) Exercise


The 2014 CAPP Exercise is now done. We had nearly 1000 financial institution representatives participate. We are currently looking to schedule CAPP Exercises in North American, Europe and other regions for 2015 so stay tuned.

About the FS-ISAC Financial Institution CAPP Exercise

The FS-ISAC Financial Institution CAPP Exercise sessions are designed for financial institutions that provide payment services.  For more information, click here for a downloadable summary of prior exercises.

What would your financial institution do in the event of a cyber attack on your online banking environment?

Over a two-day period each fall, the Financial Services Information Sharing and Analysis Center (FS‐ISAC), in conjunction with the Payments Risk Council (PRC), conducts a simulated attack on payment processes to help you assess your company’s readiness in the event of such an attack or event.

Similar exercises have been conducted during 2012, 2013 and 2014. These events help the industry identify ways to prevent, detect and respond to cyber attacks against payment processes. In a time when account takeovers, breaches at technology companies, denial of service attacks and other cyber‐crimes are affecting the industry, it is imperative that your company knows how to react if it happens to you.

CAPP Exercise Benefits

By participating in this simulated cyber attack exercise, your organization will be able to:

  • Evaluate your current risk mitigation procedures related to cyber attacks and identify potential critical gaps in planning
  • Engage in a live test of your incident response team’s ability to respond to major incidents
  • Raise awareness and educate your staff regarding procedures to respond to complex threats
  • Benchmark your business practices based on the responses of other firms
  • Develop appropriate risk mitigation recommendations in response to the types of attacks used in this exercise
  • Receive an after‐action report highlighting lessons learned from the exercise and category benchmark results
  • Demonstrate regulatory compliance




When was the exercise?

  • September 9-10, 2014 - Registration Deadline: 09/05/2014
  • September 16-17, 2014 - Registration Deadline: 09/12/2014

Who should participate?
Financial institutions that provide payment services and are exposed to cyber attacks.

How much does it cost?
Participation is free.

How do I register?
A link to the 2015 exercises is not yet available.

How much time will this take to complete?

  • The exercise will be conducted over two consecutive days and the concluding survey will require less than one hour each day to complete
  • You will receive each day’s scenario in the morning and we ask that you complete the survey portion by 12:00 midnight EST
  • Organizations may wish to use this as an opportunity to conduct a drill within their own company - time requirements will vary

What does our financial institution get out of participating?
Your institution's incident response team will be able to evaluate your readiness if faced with a cyber attack. All participants will receive a summary of the exercise results. Individuals participating may also apply to receive continuing education credits based on the exercise course work.

What is the Payments Risk Council?
The Payment Risk Council’s goal is to share payment risk information for ACH, checks and wire payments as well as best practices to mitigate payment risk. PRC members are financial institution risk professionals, NACHA risk staff and ACH regional payment association managers.

Will this be an actual vulnerability test of my system?
No, this exercise is only a simulation. Each day of the exercise you will receive an email with that day’s scenario, a link to a broadcast of information about the scenarios and a series of questions for your organization to answer. When you are ready to answer the questions, you can click on the link to the survey tool to answer the questions for that day.

Will my organization's information be published?
No, all participants and their input will be anonymous.

If my organization is not a member of FS-ISAC, can we participate?
Yes, this exercise is for the benefit of all organizations involved with payments.

Will the exercise require any special software?
No, you will only need an internet connection and email. You will be provided a link to an online survey tool called Survey Monkey where you will enter your responses.

What type of job functions should participate in the exercise?
IT Risk, IT Operations, Line of Business Managers, Call Center Management, Online Banking Managers, Treasury Managers, Legal and Compliance, Corporate Communications and any other function in the financial institution that would respond to a cyber attack against the institution.

What will my organization have access to when the exercise is completed?
You will have peer data to compare through an interactive after action report. Again, all company information will be kept confidential.

How can I use the results to benchmark my own organization’s performance?
Data will be available to you to sort by industry type, geographical location or size.

What is FS-ISAC?
The Financial Services Information Sharing and Analysis Center was launched in 1999.  The FS‐ISAC was established by the financial services sector in response to Presidential Directive 63 from 1998. That directive – later updated by Homeland Security Presidential Directive  7 in 2003 – mandated that the public and private sectors share information about physical and cyber security threats and vulnerabilities to help protect the U.S. critical infrastructure