Annex A Governance Group members - BBA | The … · Annex A – Governance Group members ... Hakan Lucas RBS . ... Alan Stockey FS-ISAC . Raj Samani McAfee . Ashley Jellyman BT

PROTECT [IL1]

Desktop cyber exercise – 12 November 2013 1

Waking Shark II Desktop Cyber Exercise Report Appendices

Annex A – Governance Group members

Steering Group

John Milne Bank of England (Co-Chair)

Malcolm Brooke Credit Suisse (Co-Chair)

Sharon Wallis Bank of England

Simon Onyons FCA

Heather Kempton HM Treasury

Nick Fuller SIBCMG Co-Chair / Credit Suisse

Nick Godfrey IBSIG Chair / Goldman Sachs

Gayle Hedgecock Payments Council

Michael Roberts OCSIA

Alan Campbell Infrastructure Providers

Andrew Rogan British Bankers Association

Chris Keeling Keystone Resilience

Scenario Design Group

Nick Godfrey Goldman Sachs (Chair)

Angus Burden JPMorgan

Chris Joy Nomura

Carlton Cristie JPMorgan

Jason Mallinder Credit Suisse

Hakan Lucas RBS

David Cripps Investec

Allan Campbell LCH Clearnet

Paul Griffiths Morgan Stanley

Orhan Moye BNP Paribas

Alan Stockey FS-ISAC

Raj Samani McAfee

Ashley Jellyman BT

Phil Huggins Detica

Ben Lindgreen Payments Council

Rich Bennett (Secretariat) FSIE

Simon L CSOC

Chris Da CPNI

Roz Horton Bank of England

Nick P CPNI

PROTECT [IL1]



Jagesh Thakkar FCA

Nathan Bird SIBCMG

John Synge SIBCMG

Ian Wellings SIBCMG

Ian Dowglass Euroclear UK & Ireland

Susanne Gahler FCA

Freddie Hult Bank of England

Brian Janganant LSE Etienne DeBurgh HSBC Matt Steel Thomson Reuters

Carric Dooley McAfee

Planning & Facilitation Group

Nick Fuller Credit Suisse (Chair)

Sharon Wallis Bank of England (alt Chair)

Lauren Earls Bank of England

Nick Emery Citibank N.A.

Nathan Bird Goldman Sachs

Ian Wellings JPMorgan

John Synge Morgan Stanley

Leila Gomes Nomura

Kelly Orvis Barclays plc

Ian Dowglass Euroclear UK & Ireland

Chris Keeling Keystone Resilience

PROTECT [IL1]



Annex B – Participant organisations

Wholesale Banks

Bank of America / Merrill Lynch

Barclays plc

BNP Paribas UK Ltd

Citibank N.A.

Credit Suisse

Deutsche Bank Group

Goldman Sachs International

HSBC Bank plc

JPMorgan

Morgan Stanley

Nomura International plc

Royal Bank of Scotland Group

Société Générale

UBS Investment Bank

Financial Market Infrastructure

CHAPS Co Ltd

CLS Services

Euroclear UK & Ireland

LCH Clearnet

London Stock Exchange

SWIFT

Authorities

Bank of England, including Prudential Regulation Authority

Financial Conduct Authority

HM Treasury

PROTECT [IL1]



Supporters/Experts

Bank of England (Sterling Markets Division)

British Bankers Association

British Telecom (BT)

Centre for Protection of National Infrastructure (CPNI)

Crisis Guardian

Cyber Security Operations Centre (CSOC)

Debt Management Office (DMO)

Office of Cyber Security & Information Assurance (OCSIA)

Payments Council

PROTECT [IL1]



Annex C – Exercise Development and Approach

Planning

The planning for the exercise was led by representatives from the member firms of the SIBCMG with support from the UK Financial Authorities, other financial sector organisations, and specialists from government and other key suppliers to the sector.

A Steering Group led by Credit Suisse and the Bank of England provided overall governance and oversight for the development and delivery of the exercise with the detailed scenario design being undertaken by a Scenario Design Group (SDG) led by Goldman Sachs, and the delivery co-ordinated by a Planning and Facilitation Group (PFG) led by Credit Suisse. The members of all three groups were drawn from the member firms of SIBCMG, the Authorities and supporting organisations.

Exercise planning commenced in May 2013 with detailed project plans being produced for the scenario design and delivery. A risk log was maintained throughout the process to ensure that risks were understood and mitigating actions applied as required. In particular, it was identified that a formal rehearsal should be undertaken at the venue to test all the technology that would be used on the day of the exercise and to provide each of the participants’ facilitators with a detailed briefing.

Enhancements over Waking Shark I

The Waking Shark II exercise design included the following enhancements compared to the first Waking Shark exercise held in March 2011. Specifically these included:

Dynamic interaction with individual firms being given both general and specific impacts to respond to throughout the day.

A longer half-day exercise to allow for a more in depth scenario, analysis and discussion. The exercise commenced at 12:30pm and completed at 5pm.

Involvement of a greater number of Firm experts through enlarged teams with up to eight representatives (five business and three technical).

Greater expert involvement in both the design and execution of the scenario. The exercise control team included a number of experts from both participating firms and supporting organisations, all of whom had been involved in the design of the scenario. CPNI provided expert guidance on the provision and use of the CISP platform and supported the platform during the exercise.

Provision of the CISP platform allowed for real-time sharing of cyber threat information between the participating firms.

Simulated media involvement to more accurately reflect the challenges experienced. A specialist organisation was engaged to develop high quality media input and firms were invited to bring a member of their communications team to the exercise.

Greater engagement with critical infrastructure providers. Key Financial Market Infrastructure organisations played in the exercise and provided information as to their status throughout.

PROTECT [IL1]



Authorities’ involvement and participation using the new regulatory structure. The Bank of England, including the Prudential Regulatory Authority, the Financial Conduct Authority, and HM Treasury were all represented during the exercise.

The exercising of CMBCG in its role as strategic coordination forum for wholesale market disruption.

The scenario also included lessons learned and demonstrated progress based on Waking Shark I and MWE 2011 findings.

Delivery

As shown below, the exercise took place over three phases separated by electronic voting and discussion. Each phase had specific objectives aligned to the overall exercise objectives.

The exercise was delivered by a facilitation team and an Exercise Control group comprising members of the SDG and other experts. The facilitation team comprised a ‘lead’ facilitator who led the session and was supported by additional facilitators who supported the participants in answering questions regarding the exercise and the scenario.

The exercise information was delivered to the participants by way of paper injects that contained details of the events that the firm was experiencing at that time, and supporting media injects.

The paper injects were provided to each table in three envelopes as follows:

Envelope 1 – Phase 1 containing Tranche 1 (Tuesday 17 December 3pm) and Tranche 2 (Tuesday 17 December 6pm).

Envelope 2 – Phase 2 containing Tranche 3 (Wednesday 18 December 6am) and Tranche 4 (Wednesday 18 December 12pm).

Forms – containing an Action Log that each Participant was encouraged to complete, MIDAS forms that were requested by the Authorities at key points in the exercise, ‘Question’ and ‘Announcement’ cards that could be used to signal a question for the facilitators or announcement to the group, and a Feedback form for completion at the end of the exercise.

Media injects were delivered at various stages in the exercise. The exercise began with a televised media montage that ‘set the scene’. At the end of Phase 1 a televised 10 o’clock News Bulletin was aired and at the end of Phase 2, a televised 3 o’clock News Bulletin was aired to simulate the reaction of the press to the unfolding events. Additional media injects

Real time 12:30 13:00 13:20 13:40 14:00 14:20 14:50 15:10 15:30 15:50 16:15 16:40 17:00

Item Introduction &

Scenario Background

Inject tranche

1 E-voting

Inject tranche

2 E-voting

Break and “level

set

Inject tranche

3 E-voting

Inject tranche

4 E-voting CMBCG

Meeting CMBCG update

and “level set”

Group Discussion (Return to BAU)

Exercise time

15:00 Tues

18:00 Tues

06:00 Wed

12:00 Wed

Objectives

PHASE 1

Demonstrate information sharing between

firms via CISP Exercise firm responses to cyber incidents

PHASE 2

Demonstrate information sharing between firms and between firms and regulators

PHASE 3

Evidence

CMBCG coordination role

PROTECT [IL1]



comprising Twitter and Web pages were delivered during the mid exercise comfort break and during the CMBCG meeting.

During the exercise, each participant team was coordinated by a table facilitator who was responsible for opening the envelopes and providing the inject tranche to their teams when asked to do so by the exercise facilitator. The participants were then given between 20 minutes and half an hour to discuss the impact to their firm resulting from the injects and interact with the other participants (including Firms, the FMIs and the UK Financial Authorities) as appropriate. In addition, information could be posted to the CISP platform that provided all participants with an overview of the developing cyber-attack.

Specific questions about the scenario could be directed to the facilitators who could call on the expertise of the Exercise Control Group if required.

The discussion was followed by a number of electronic voting questions where each participant was asked to select one or multiple answers to questions posed by the lead facilitator. The responses were then presented and discussed.

Following the first four exercise sections there was a final Phase (Phase 3) that comprised a meeting of the CMBCG to consider the overall market impact and response, followed by a final set of electronic voting questions. The formal exercise then closed and a final general discussion was led by the lead facilitator to summarise the issues identified and receive comment from the participants.

The exercise was closed by the UK Financial Authorities and each firm and the observers were invited to complete a feedback form prior to leaving the event.

PROTECT [IL1]



Annex D – Participant voting results

Phase 1: Tranche 1 Question 1: Based on information you have received since the start of the exercise, which of the following is closest to your understanding of the current status?

Question 2: Describe the level of impact to your organisation and its ability to service stakeholders (clients) at this stage.

PROTECT [IL1]



Phase 1: Tranche 2 Question 3: Which of the following DDoS mitigants have you deployed?

Question 4: Describe the level of impact to your organisation and its ability to service stakeholders (clients) at this stage.

PROTECT [IL1]



Question 5: Which of the following internal communications and escalations have been initiated by this stage?

PROTECT [IL1]



Question 6: Which of the following external communications and escalations have been initiated by this stage?

Question 7: What decisions have you made regarding key overnight processing (for example for collateral/margin, risk and PnL calculations)?

PROTECT [IL1]



Question 8: Have you requested a sector group meeting at this stage?

PROTECT [IL1]



Phase 2: Tranche 3 Question 9: What activities are you undertaking to manage risk given the overnight pricing issues?

Question 10: Describe the severity of the funding and liquidity concerns caused by the LCH issue at this stage.

PROTECT [IL1]



Question 11: What activities are you undertaking to manage risk given the LCH issues?

Question 12: Which of the following internal communications and escalations have been initiated by this stage?

PROTECT [IL1]



Question 13: Which of the following external communications and escalations have been initiated by this stage?

Question 14: Not asked

PROTECT [IL1]



Phase 2: Tranche 4 Question 15: Describe the severity of the funding and liquidity concerns caused by the LCH issue at this stage?

Question 16: What activities are you undertaking to manage risk given the LCH issues?

PROTECT [IL1]



Question 17: Describe the impact of the payments issues at this stage

PROTECT [IL1]



Question 18: What options are you considering to deal with the payments disruption?

Question 19: Have you requested a CMBCG meeting at this stage?

PROTECT [IL1]



Phase 3 Question 20: What is your best estimate of when you expect to be able to return to BAU?

PROTECT [IL1]



Annex E – Participant Feedback

Exercise Objectives Question 1: Do you feel the exercise was successful in meeting its objectives?

Objective 1: Assess whether firms had adopted the feedback and lessons learnt from Waking Shark I.

Objective 2: Exercise communication and information flows between firms, and between firms and regulators, during a cyber-attack.

Objective 3: Improved understanding of the impact of a cyber-attack on the financial sector and how the sector should respond, as identified by the 2011 Market Wide Exercise.

Question 2: Did you identify any issues with communications and information sharing between firms or regulators?

PROTECT [IL1]



Exercise Delivery Question 1: Do you feel the exercise was well organised and delivered (inc. pre-event briefings)?

Question 2: Was the format successful in facilitating engagement and interactive discussions?

Question 3: Did your team find the scenario sufficiently challenging?

Documents

Annex A Governance Group members - BBA | The … · Annex A – Governance Group members ... Hakan Lucas RBS . ... Alan Stockey FS-ISAC . Raj Samani McAfee . Ashley Jellyman BT