Financial services cyber intelligence sharing cooperative, the FS-ISAC, will lead the finserv industry in a ‘live-fire’ NATO exercise to test the sector’s cyber defensive capabilities and resilience during a simulated nation-state attack.

Organised by the North Atlantic Treaty Organisation’s (NATO’s) Cooperative Cyber Defence Centre of Excellence (CCDCOE), the exercise, known as ‘Locked Shields’, is billed as the “largest and most complex [annual] international live-fire cyber defence exercise in the world”.

Held annually since 2010, past Lock Shields events have proved useful for financial services entities to assess their cyber-security capability and resilience, as well as helping the industry better prepare for the consequences of a major cyber-attack – one that could impact multiple critical infrastructure providers.

Held across three days (19-22 April) in Estonia’s capital Tallinn, the exercise simulates both a kinetic and cyber attack on a fictional island country known as ‘Berylia’.

“Exercise planners draw on the current geopolitical situation to develop realistic and challenging scenarios that take into account the current security environment where cyber incidents are unlikely to happen in isolation and are employed as part of a wider geopolitical strategy,” the CCDCOE wrote.

Through the simulation of “realistic, large-scale cyber-attacks”, parties are able to test their national, civilian, and military IT systems’ ability to protect vital services and critical infrastructure.

The intention is to facilitate “systematic, multinational, multi-sector, public-private cyber defence cooperation and coordination” to prepare stakeholders against real nation-state threats.

FS-ISAC serves as the financial services sector representative in Locked Shields, with at least 10 large financial institutions also taking part.

The cyber cooperative recently convened a Scenario Expert Planning Group comprising of member firms including credit and payments giant Mastercard and banking group Banco Santander SA, to design the event’s financial services sector scenario.

“Exercises like Locked Shields help build the muscle memory to respond to real-world cyber attacks,” said Teresa Walsh, FS-ISAC’s global head of intelligence.

“While the scenarios are not specifically tied to the current conflict [in Ukraine], exercise planners look to integrate recent geopolitical circumstances and cyber threat actor tactics, techniques, and procedures, so that teams continually upgrade their response capabilities.”

Ron Green, chief security officer at Mastercard said the excises offer public and private sectors an opportunity to first-hand “test, analyse, and enhance our response capabilities in a real-world environment”.

“We’re able to see how collaboration and information sharing can help us to address cyber threats more efficiently. Together, we are stronger.”

He added: “In cybersecurity, you don’t want to invent something new in the middle of a crisis. That’s the value of large-scale, cross-border exercises like Locked Shields.”

Green noted that the exercise enables businesses to better understand how others respond to cyber attacks, with post-mortems enabling participants to unearth potential weak points and enhance overall cybersecurity.

This year’s Locked Shields event consists of 2,000 participants from 32 countries, with more than 5,000 virtualised systems expected to be subject to more than 8,000 attacks.

In addition to securing complex IT systems, participating teams must also be effective in reporting incidents, strategic decision making and solving forensic, legal, media, and information operations challenges.

The 2022 CCDCOE event comes amid the ongoing war in Ukraine, with fears Russia could launch reprisal attacks on Western banking institutions and cross-border financial transaction systems in response to imposed sanctions by Western governments.

Last month senior executives from SWIFT, the global financial transaction messaging service (one which supports the transaction of trillions of dollars in cross-border payments each day), warned it could face a steady escalation of attacks if more Russian banks are kicked off the network.

“VTB, Russia’s second-biggest bank, and Promsvyazbank, which finances Russia’s war machine, were among the lenders removed last month from the SWIFT network in response to Russia’s invasion of Ukraine,” Financial Times reported last month.