You’re meeting with senior management when you receive a call that your financial institution’s networks are down. Hackers are claiming credit and the press is demanding answers. What do you do?
This is the dilemma we presented to participants in our first Crisis U session last month, a “war-games”-like gathering in which participants portray senior management of a fictional financial institution facing a serious cyber-attack.
We were with senior managers of a real-life financial institution, so no one was new to the concerns of the financial industry or the protocols for mitigating this type of risk. But when a masked hacker appeared on the boardroom screen, we all suddenly found ourselves in a world beyond protocols. In the confusion of a real-time crisis, you quickly see what’s missing from your contingency plan.
One of the more unexpected lessons learned in our first running of the event was that executives are often unaware of the ways in which data can be “kidnapped” or used for extortion. Participants were surprised that lines of coverage generally thought to protect individuals, like kidnap and ransom, can be applied to data.
We suspect other institutions will learn different lessons and discover different weaknesses when we run the sessions with them.
What Crisis U is
Crisis U is a new crisis response training program our Financial Services Practice developed with our Network Security and Privacy team. We designed the multimedia program to create an environment that will stimulate a serious discussion of true preparedness.
The class lasts two and half hours, with participants portraying senior management of Hamilton National, a fictional financial institution, facing a serious cyber attack. The experience is fun, if a bit disquieting. Participants come away with a better appreciation of how their insurance coverages interrelate, how their brokers can assist, and how quickly they must react in today’s Internet world.
We will be arranging additional stagings of the program for risk managers, technology officers, legal, compliance and operations of financial institutions upon request.