Are U.S. banks ready for a major ACH outage?

AdobeStock_385189435.jpeg
In a simulation exercise hosted by the Global Resilience Federation on Tuesday, banks and credit unions tested their ability to withstand an industrywide wiperware attack on the ACH network, which disrupted transfer and direct deposits for numerous fictional customers.
Adobe Stock

On Tuesday, amid a campaign to disrupt the U.S. financial system, fictional hacking group Purple Rain used wiperware to halt automated clearinghouse, or ACH, payments across multiple banks and credit unions, preventing Americans from receiving their paychecks and paying their bills, but the total extent of the disruption was not immediately clear. Wiperware is a type of malware that can destroy or "wipe" data on a targeted system or network.

That was the premise of the exercise put on by the Global Resilience Federation, a cross-sector nonprofit hub for the exchange of cyber, supply chain and other threat intelligence, and Nacha, which operates the ACH network. The point of the exercise was to assess the ability of banks, credit unions, core processors and other participating firms to respond to the fictional but, according to the federation, plausible scenario.

"My message today is for all of us to prepare for these threats that could potentially be launched against your ACH systems," said Bill Nelson, chair of the federation. "We hope that this tabletop exercise will prove to be a useful tool for you to determine how you would respond and recover from a destructive attack."

To kick off the exercise, fictional news anchors interviewed fictional victims on the first simulated day of the exercise. The victims told stories about being unable to make or receive electronic payments and being locked out of their bank accounts. A fictional analyst informed the show's audience that the disruption might have been caused by a problem with the ACH network.

Participants learned that Purple Rain had deployed the fictional wiperware attack that was disrupting the ACH network, but further details about impact — how many firms or customers were affected, for instance — remained cloudy. In that fog of war, the exercise began.

A panel of experts in resilience and cybersecurity, gathered by the GRF for this exercise, asked participants a series of questions designed to assess their ability to respond to the scenario. Does your financial institution have a cybersecurity risk management control framework in place? Who at your institution is responsible for leading the response to this event? How do you define what a business-critical service is at your organization?

Nacha, which manages the ACH network, sent two executives to the exercise — Jordan Bennett, senior director of ACH network risk management and Devon Marsh, senior director of ACH network administration. Bennett previously served as senior credit and risk analyst for the Federal Reserve Bank of Atlanta; Marsh previously served as a senior vice president in multiple departments for Wells Fargo Bank.

The other panelists were Trey Maust, executive chair at Lewis & Clark Bank; Bob Blakley, former global head of information security innovation at Citi; and Mark Harvey, who has also provided resilience strategy leadership at the Federal Reserve Bank of New York and multiple security and intelligence agencies including the Department of Homeland Security.

Walking through each question, the panel provided analysis about the anonymized answers that poured in from the more than 250 participants who signed up for the free exercise.

NATO Ministers of Defence Summit

The annual event, while not specifically tied to the war in Ukraine, could prove to be opportune for financial institutions.

April 20

Unsurprisingly, nearly every participant said their institution had a cybersecurity risk management control framework in place, many based on the recently updated Cybersecurity Framework from the National Institute of Standards and Technology. The exercise was open to nonbanks, and because participation in the exercise was anonymous, it is unclear which participants reported not having a framework in place.

Part of having a cybersecurity risk management control framework is defining what services are and are not operationally critical to the organization, which helps to identify which services need additional monitoring and controls.

"There are only a few things that each organization does that could directly impact their customers and partners, so those are the things that I think rise to that level," said Mark Orsi, CEO of the federation and a facilitator of the exercise. "But that's the question: Do we feel like ACH rises to that level?"

Again, nearly every participant said yes. The panel then asked how exactly participants defined what is and is not an operationally critical service (answers varied but focused on customer needs), and the questions and discussion continued.

The panelists didn't provide prescriptive guidance. Instead, using the premise of the exercise, they gave examples of how institutions could orient their resilience plans toward providing services, even if limited, to minimize the effect of the ACH network disruption.

The federation will host another half-day exercise on April 17 running through the same scenario and escalations simulated on Tuesday, designed for financial institutions and core processors. A multi-sector exercise is expected later this year to extend the scenario to explore operational resilience in the broader ecosystem. Institutions are welcome to bring observers to watch segments of the exercises as they unfold.

For reprint and licensing requests for this article, click here.
Technology Cyber security Malware
MORE FROM AMERICAN BANKER