Wiperware Exercise Unearths Startling Reality

In a 2024 incident response exercise conducted by the nonprofit Business Resilience Council with nearly 700 banks, credit unions and payment processors, 70% of participants admitted they had not tested destructive malware scenarios against their payment systems and operations.

No core processors had performed an exercise in which wiperware incapacitated financial transactions. The majority of credit unions admitted the same.

Most credit unions and many banks believed they could rely on their third parties, like the core processors, to meet payment deadlines during a crisis, while the processors expressed doubts they could in fact help.

Getting these institutions together into a virtual room revealed that a lack of communication has left Americans vulnerable to a successful cyberattack that would catastrophically affect the digital economy. If bank withdrawals are frozen, peer-to-peer payment apps are unresponsive, companies can’t make payroll, and debt can’t be serviced, our modern way of life comes to a halt.

Beyond uncovering the false expectation that operational responsibility could be shared in order to meet customer demand, the majority of participants admitted they did not possess a plan that categorized and prioritized their most urgent payments, if and when they were back up and running. Only 41% of participants reported having service delivery objectives to meet minimum viability in the event of a crisis.

There are millions of payments made per day on the Automated Clearing House (ACH) Network.  For banks, inaccessible accounts and other interruptions to service can lead to class-action lawsuits, regulatory fines, and scrutiny from the U.S. legislative branch.

Traditionally, incident response and business continuity efforts have focused on data recovery with little regard to providing services in an impaired state. In 2021, Business Resilience Council launched a multi-sector working group to develop the Operational Resilience Framework (ORF) to help solve that challenge. The ORF was developed to be broadly applicable and is aligned with existing controls like those from National Institute of Standards and Technology (NIST).

The framework provides rules and implementation aids that support a company’s recovery of immutable data, while also – and uniquely–  allowing it to minimize service disruptions in the face of destructive attacks and events.

The ORF was used in the incident response exercise to help the financial institutions recover and prioritize their actions. This freely available document, along with accompanying maturity model and implementation scenarios, allows for detailed pre-and-post incident planning.

“The ORF provides an extremely effective base from which to establish and evaluate your business continuity efforts in the event of an attack or disaster,” said the Managing Director for Strategy, Planning, and Transformation at a Big Four U.S. bank. “It’s free, it was made by security and risk management professionals from many different industries, and it’s evident from the wiperware exercise that it’s a valuable tool for uncovering gaps.”

After the event, 30% of small-to-medium-sized commercial banks and 50% of the largest banks reported they plan to reassess their minimum viable service levels and service delivery objectives as a result of the exercise.

This exercise for the financial service sector was followed by two additional events that broadened the scenario for organizations from many industries. The after action report for those multisector exercises will be released in the coming days.