Skip to main content
U.S. flag
An official website of the United States government
Dot gov
The .gov means it’s official. 
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
Https
The site is secure. 
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
Directors' Resource Center

Cyber Challenge: A Community Bank Cyber Exercise

Technical Assistance Video Program
Cyber Challenge screen capture.

Purpose

The FDIC created “Cyber Challenge:  A Community Bank Cyber Exercise” to encourage community financial institutions to discuss operational risk issues and the potential impact of information technology disruptions on common banking functions. 

Using nine unique scenarios, the Cyber Challenge helps start an important dialogue among bank management and staff about ways they address operational risk today and techniques they can use to mitigate this risk in the future. The Cyber Challenge is not a regulatory requirement; it is a technical assistance tool designed to help assess operational readiness.

Background

Financial institution management is typically well versed in addressing traditional banking risks such as interest rate, liquidity, and credit risk. Addressing certain operational risks, however, may be more challenging, since threats to information technology and related operations of banks are increasing and evolving.

Community financial institutions may be exposed to operational risk through internal or external events ranging from cyber attacks to natural disasters. Regardless of the cause, operational risks can threaten an institution’s ability to conduct basic business operations, affect its customer service, and tarnish its reputation.

Objectives

The Cyber Challenge is designed to help financial institution management and staff discuss events that may present operational risks and consider ways to mitigate them. It can provide useful information about an institution’s preparedness and identify opportunities to strengthen the bank’s resilience to operational risk.

Overview of the Exercise

The Cyber Challenge consists of nine short video vignettes and related challenge questions. Each video vignette depicts a unique scenario. The challenge questions for each vignette are designed to help bank management and staff think about how they would respond to the scenarios. Also included are lists of reference materials participants can turn to for more information.

Suggested Guidelines and Ground Rules

Institutions may use a free-flowing or facilitated discussion of the vignettes. Here are guidelines for organizing a discussion and suggested ground rules. Participants in the Cyber Challenge should treat it as a data-gathering event and follow a non-attribution policy. Participants may want to record their discussions during the exercise to help compile lessons learned and identify areas for improvement.

  • Vignette 1 Farmers & Merchants Bank of Dauerville
    Item Processing Failure
    A new item processing service provider cannot process the volume of transactions generated by the bank.
  • Vignette 2 Farmers State Bank of Robertsburgh
    Customer Account Takeover
    A corporate customer reports unauthorized withdrawals on its account.
  • Vignette 3 The State Bank of Town City
    Bank Internal Error/Phishing and Malware Problem
    Bank staff receive a phishing email that appears to have been sent by the institution's president.
  • Vignette 4 People's State Bank of Morello
    Technology Service Provider Problem
    Problems ensue after the financial institution's service provider updates its system.
  • Vignette 5 Farmers Bank of Westburg
    Distributed Denial of Service (DDoS) Attack
    The bank IT manager investigates a possible DDoS attack and discovers a second attack that steals data from the institution.
  • Vignette 6 Farmers State Bank of Robertsburgh 
    Automated Teller Machine (ATM) Malware
    ATM malware reveals deficiencies in a bank's service provider contract.
  • Vignette 7 People's State Bank of Morello
    Ransomware
    A cyber-attack has taken place, and important files are being held for ransom.
  • Vignette 8 Eau Rapides Bank
    Flood
    Communications problems ensue after the bank’s data center floods.
  • Vignette 9 Bank of Lieferkette 
    Supply Chain
    Third-party software update infects the bank’s system, disrupting core processing and steals data.

Last Updated: October 15, 2018