All FS-ISAC members and most regulated depository financial institutions in the Americas, Asia Pacific, Europe, Middle East and Africa. Membership in FS-ISAC is not required. FS-ISAC reserves the right to decline participation based on its operating rules or sanctions-related concerns.
Pervasive vulnerabilities and cyber-attacks are a known source of risk for financial enterprises. Security breaches, system compromises and other cybersecurity issues are common and can be severe. CAPS enables you to practice your incident response plans and resources in response to an incident. You privately assess your exercise experience and preparedness, while receiving insights on best practices and readiness assessments. Many regulators recommend participating in cyber-threat exercises like CAPS to support an institution’s resiliency, testing and training.
You designate one person as the primary point of contact to register your company. Your primary contact receives all communications about the exercise, including the FS-ISAC Cyber-Attack Against Payment Systems Pre-Exercise Guide to help prepare for the exercise. Early each morning of the two-day exercise, your Primary Contact receives an email with instructions to retrieve the exercise for that day and the daily survey. Each day, from your own premises and on your own schedule, your team reviews and discusses the information available and confidentially answers a set of self-assessment survey questions.
You receive a welcome email from FS-ISAC CAPS firstname.lastname@example.org instructing you to set up your login to the secure exercise portal with your email and a password. You download Day 1 exercise materials at that time. On Day 2 you receive a notice from the same email that the Day 2 exercise materials are available for download. The exercise materials from both days will be accessible on Day 2. Please make sure to whitelist email@example.com.
Use the registration link provided or go to https://www.fsisac.com/caps-reg2020. FS-ISAC will approve your financial institution and send you a confirmation email invoice with instructions to provide a credit card for payment.
FS-ISAC member volunteers work with staff to develop scenarios based on current trends and emerging threats; develop questions for discussion and response in the daily feedback survey, to help participating teams assess their preparedness; script and record roles as members of the incident response team meetings presented in the exercise.
CAPS is a virtual table-top exercise and teams participate from your premises or remotely with the exercise materials provided to your point of contact each morning of the exercise.
On average, teams work together for a few hours each day of the exercise.
Your team chooses the time to work on CAPS on each of the two days. Your point of contact can access the exercise material early in the day and the survey response is due by midnight local time. You may plan your schedule for each day to best fit the participants and organization.
Following the exercise, the survey results are tabulated for your region and across other regions. You will receive a copy of the results and be invited to a webinar presentation of the findings, hosted and facilitated by FS-ISAC.
Surveys are completed anonymously, however general demographic questions such as asset size, country code and industry help compile a useful benchmark-type report that most financial institutions find helpful. These results, combined with your extensive team discussions during the exercise, are qualitatively valuable as well.
Typically, the exercise includes the financial institution’s incident response team, business continuity and operational resiliency professionals who would respond to a cyber-attack affecting customers using payment services. Many institutions include Information Technology (IT), risk management, payment operations, customer service, communications, legal, line of business managers and decision-making incident response executives. Some ask external partners to be available for consultation during the exercise. A list of recommended internal functional teams is included in the FS-ISAC Cyber- Attack Against Payment Systems Pre-Exercise Guide.
CAPS is designed for all sizes of financial institutions with each institution adapting it as necessary, “as they go,” to best fit the institution participating.
Approximately 2,000 regulated financial institutions from around the globe registered for CAPS 2019.
If you have questions not addressed here, please send an email to CAPS@fsisac.com.