2020 Cyber-Attack Against Payment Systems Exercise

Build a Stronger Incident Response Team

The CAPS exercise challenges incident response teams to overcome a simulated attack against financial institution systems and processes.  Participants practice mobilizing quickly, working under pressure and recognizing critical intelligence to defend against an attack.

Developed as a real-world scenario, outcomes include:

  • Stronger team relationships and increased cross-functional knowledge;
  • Clearer internal understanding of system vulnerabilities; and
  • Improvements in response plans.

Gain maximum benefit with minimal resources:

  • Participate from your premises or remotely via computer sharing using virtual, confidential exercise materials;
  • Teams spend a few hours working the incident each day; and
  • Gain access to unattributed peer data to compare your response to other organizations.

CAPS is available to all regulated depository financial institutions for $175 per institution.

Please review the FAQ for more information, or contact FS-ISAC at CAPS@fsisac.com.

FS-ISAC reserves the right to decline participation.

Frequently Asked Questions

Who should participate?
All FS-ISAC members and most regulated depository financial institutions in the Americas. Membership in FS-ISAC is not required. FS-ISAC reserves the right to decline participation based on its operating rules or sanctions-related concerns.  

Why participate?
Pervasive vulnerabilities and cyber-attacks are a known source of risk for financial enterprises. Security breaches, system compromises and other cybersecurity issues are common and can be severe. CAPS enables you to practice your incident response plans and resources in response to an incident. You privately assess your exercise experience and preparedness, while receiving insights on best practices and readiness assessments. Many regulators recommend participating in cyber-threat exercises like CAPS to support an institution’s resiliency, testing and training.  

How does CAPS work?
You designate one person as the primary point of contact to register your company. Your primary contact receives all communications about the exercise, including the FS-ISAC Cyber-Attack Against Payment Systems Pre-Exercise Guide to help prepare for the exercise. Early each morning of the two-day exercise, your Primary Contact receives an email with instructions to retrieve the exercise for that day and the daily survey. Each day, from your own premises and on your own schedule, your team reviews and discusses the information available and confidentially answers a set of self-assessment survey questions.  

What can I expect on Exercise Day?

You receive a welcome email from FS-ISAC CAPS noreply@cyware.com instructing you to set up your login to the secure exercise portal with your email and a password. You download Day 1 exercise materials at that time. On Day 2 you receive a notice from the same email that the Day 2 exercise materials are available for download. The exercise materials from both days will be accessible on Day 2. Please make sure to whitelist noreply@cyware.com.   

How much does CAPS cost?

You can register your financial institution for $175 USD.
The registration fee includes:
  • Your entire team’s participation;
  • Pre-Exercise Guide outlining 2020 CAPS;
  • Dedicated email support;
  • Access to exercise materials, instructions and exercise-day support via a secure platform;
  • Self-assessment tool providing a private and unattributed response from your institution;
  • After-CAPS report of aggregated survey responses for internal comparisons and benchmarking; and
  • After-CAPS interactive webinar presentation (available on-demand after webinar date).   

How do I register and pay for CAPS?
Use the registration link provided or go to https://www.fsisac.com/caps-reg2020. FS-ISAC will approve your financial institution and send you a confirmation email invoice with instructions to provide a credit card for payment.   

Who creates the exercise?
FS-ISAC member volunteers work with staff to develop scenarios based on current trends and emerging threats; develop questions for discussion and response in the daily feedback survey, to help participating teams assess their preparedness; script and record roles as members of the incident response team meetings presented in the exercise.   

Where does CAPS take place?

CAPS is a virtual table-top exercise and teams participate from your premises or remotely with the exercise materials provided to your point of contact each morning of the exercise.   

How long does CAPS take?

On average, teams work together for a few hours each day of the exercise.   

What time is CAPS?

Your team chooses the time to work on CAPS on each of the two days. Your point of contact can access the exercise material early in the day and the survey response is due by midnight local time. You may plan your schedule for each day to best fit the participants and organization.  

What is the After-Action Report?

Following the exercise, the survey results are tabulated for your region and across other regions. You will receive a copy of the results and be invited to a webinar presentation of the findings, hosted and facilitated by FS-ISAC.   

How will the results be meaningful for my financial institution?

Surveys are completed anonymously, however general demographic questions such as asset size, country code and industry help compile a useful benchmark-type report that most financial institutions find helpful. These results, combined with your extensive team discussions during the exercise, are qualitatively valuable as well.  

Who should be involved from my financial institution?

Typically, the exercise includes the financial institution’s incident response team, business continuity and operational resiliency professionals who would respond to a cyber-attack affecting customers using payment services. Many institutions include Information Technology (IT), risk management, payment operations, customer service, communications, legal, line of business managers and decision-making incident response executives. Some ask external partners to be available for consultation during the exercise. A list of recommended internal functional teams is included in the FS-ISAC Cyber- Attack Against Payment Systems Pre-Exercise Guide.  

Is CAPS specific to the size of a financial institution?

CAPS is designed for all sizes of financial institutions with each institution adapting it as necessary, “as they go,” to best fit the institution participating.  

How many financial institutions participate?
Approximately 2,000 regulated financial institutions from around the globe registered for CAPS 2019.  

How can I get more information?
If you have questions not addressed here, please send an email to CAPS@fsisac.com.