top of page

CyberCare by STORM Guidance

FFIEC Cybersecurity & Operational Resilience: What US Businesses Need to Know

Purpose of the FFIEC Guidance

The FFIEC guidance seeks to:

  • Strengthen the cyber resilience of the US financial sector.

  • Enhance preparedness, detection, response, and recovery from cyber and operational incidents.

  • Provide a risk-based framework to evaluate and improve an institution’s security posture.

Objectives of Cyber Exercises

  • Assess decision-making and crisis response protocols.

  • Test coordination between IT, executive management, and external stakeholders.

  • Evaluate internal/external communications and escalation paths.

  • Identify gaps in controls, staffing, and recovery resources.

Testing is Expected

Institutions are expected to:​

  • Conduct regular testing of incident response and recovery plans.

  • Include cyber incident scenarios that represent realistic and evolving threats.

  • Perform tabletop, functional, and full-scale exercises involving:

    • Malware outbreaks

    • Ransomware

    • Data breaches

    • Insider threats

Cyber Incident Exercise Requirements

The FFIEC places strong emphasis on cyber incident simulations and exercises, particularly as part of business continuity planning (BCP) and incident response testing.

Supervisory Expectations

  • Examiners assess:

    • Whether incident response plans have been tested in practice.

    • The realism and complexity of cyber incident exercise scenarios used.

    • Engagement of executive leadership in simulations.

  • FFIEC encourages participation in sector-wide or industry-led exercises, e.g.:

    • Sheltered Harbor drills

    • FS-ISAC simulation events

    • Financial Services Sector Coordinating Council (FSSCC) initiatives

Governance and Documentation Requirements

  • Cyber incident exercises must be:

    • Documented with outcomes and lessons learned.

    • Reviewed and approved by senior management and boards.

  • Testing frequency and depth should be based on:

    • Institution size

    • Complexity

    • Risk profile

  • Exercises should inform policy updates, staff training, and resilience planning.

Practical Implementation Guidance

Institutions using the FFIEC guidance should:

  • Maintain a structured testing schedule (e.g. annual full exercise + quarterly tabletop).

  • Simulate events involving:

    • Simultaneous IT & physical crises

    • Data exfiltration and ransomware

    • Cloud service failure

  • Involve all key roles: IT, legal, PR, compliance, risk, execs.

  • Align cyber testing with business continuity, disaster recovery, and risk management plans.

Related FFIEC Resources Emphasising Cyber Incident Exercises

Business Continuity Management Booklet (2021)

“Testing is a critical component of a business continuity program… management should test technology recovery capabilities and cybersecurity incident response plans.”

Information Security Booklet

“Institutions should test incident response capabilities through tabletop or live exercises that simulate likely attack scenarios.”

CyberSimulate

If you're implementing or auditing cyber resilience in line with US FFIEC, the Federal Reserve SR 20-24 / OCC Bulletin 2020-98, the SEC Rules on Cybersecurity,  or other Operational Resilience requirements, our CyberSimulate service will provide a structured program of cyber incident exercises that:

  • Escalates in complexity over time,

  • Includes involvement from third parties, including critical vendors, where relevant,

  • Encourages critical vendors to exercise their plans with their vendors,

  • Integrates learnings into operational and incident response plans.

Contact the CyberCare team

If you would prefer to speak to the team, give us a call:

UK/Europe: +44-203-693-7480

Africa: +230-434-1277

USA: +1-703-232-9015

Your contact details will only be used in connection with this enquiry. Please read our Privacy Policy.

bottom of page