Complete Story

Free Cyber Attack Exercise hosted by FS-ISAC (CAPP)

Registration Deadline
September 29 and October 6 ​​


  • October 6-7 | Registration deadline September 29

  • October 13-14 | Registration deadline October 6​​

Offered exclusively for financial institutions in US and Canada
No charge to participate and all regulated financial institutions welcome!

The Cyber-Attack Against Payment Processes is a confidential two-day, table-top exercise to simulate an attack on payment processes. This annual exercise has been held for the past five years, with close to 1000 U.S. and Canada financial institutions participating last year.

CAPP simulates a robust, real-world attack to challenge Incident Response teams to practice mobilizing quickly, working under pressure, critically analyzing information as it is available, and connecting the cyber dots to defend against the attack. This respected model:

  •  Identify gaps in incident response plans
  •  Strengthen incident response team relationships
  •  Build understanding of system vulnerabilities
  •  Drive exploration of improvements in response

​You choose the week that works best for your incident response team. Click here to register your financial institution. After your financial institution is registered, your primary contact will receive information about how to prepare your incident response team members for an interesting learning experience.

  • October 6-7 | Registration deadline September 29
  • October 13-14 | Registration deadline October 6

​​Frequently Asked Questions about CAPP 2015

HOW DOES CAPP WORK? One person registers your company as Primary Contact. Primary receives pre-CAPP preparation information; Incident Response Meeting files at workstation each morning over 2 consecutive days with supporting materials. Your team reviews and discusses the information available each day and answers a set of survey questions. You will not be asked for any confidential or identifying information.

IS INFORMATION AVAILABLE FOR OUR EXECUTIVE MANAGERS? An executive brief is available and you candownload it here.

WHO CAN PARTICIPATE IN CAPP? Regulated financial institutions of all sizes in the US and Canada can participate in the CAPP exercise.

HOW DOES OUR PRIMARY CONTACT KNOW WHAT TO DO? Your primary contact will be sent a pre-CAPP package with all the details, more information, a help-line phone and email contact, and other helpful hints to prepare him/herself, the team, and your company.

HOW ARE THE SIMULATED INCIDENT RESPONSE TEAM REPORTS RECEIVED? Your primary contact can expect audio files formatted to be accessible without any special provisions. Supporting materials such as PowerPoint slides and meeting transcripts are sent via WebEx or email.

HOW MUCH TIME DOES CAPP TAKE? On average, teams work together for about an hour each day.

WHAT IS THE REGISTRATION COST? There is no cost for regulated financial institutions to participate. CAPP is provided by the Financial Services Information Sharing and Analysis Center (FS-ISAC).

​IS THIS A VULNERABILITY TEST OF OUR SYSTEM? No. CAPP is a table-top, simulated exercise. Participating in CAPP will allow you to privately assess your systems and response plans.

WHO SHOULD BE INVOLVED? Typically, the response team includes Operations, IT, Risk, Legal, Customer Service, and Communications. Some organizations invite legal and an executive manager to participate in or observe the exercise.

WHAT ABOUT THE SURVEY? Survey answers are private and submitted anonymously. Responses are analyzed to produce an overall picture of how financial institutions are responding to cyber-attacks and best practices generally emerge. Most organizations use the survey internally to assess and improve their response.

WHAT SURVEY SOFTWARE DOES MY FINANCIAL INSTITUTION NEED? Surveys are completed through a private link to Survey Monkey.

WHAT IF MY FINANCIAL INSTITUTION IS NOT A MEMBER OF FS-ISAC? All regulated financial institutions in the US and Canada are welcome to participate. You do not need to be a member of FS-ISAC.

WILL MY FINANCIAL INSTITUTION’S NAME BE USED ANYWHERE? No. Participating financial institutions are not named or available and your company participates as an anonymous financial institution.

WHAT IS THE AFTER-ACTION? Preliminary results will be presented at the FS-ISAC Fall Summit, October 25-28, 2015, and an interactive WebEx will be hosted and facilitated by FS-ISAC in November.

HOW WILL THE RESULTS BE MEANINGFUL FOR MY FINANCIAL INSTITUTION? The surveys are completed anonymously, however some general demographic questions such as asset size, country code, and industry focus helps compile a useful benchmark-type report that most financial institutions should find helpful.

WHO CAN I CONTACT FOR QUESTIONS? If you have questions before, during, or after the CAPP you can contact FS-ISAC staff at

WHO OR WHAT IS FS-ISAC? The Financial Services Information Sharing and Analysis Center was established in 1999 by the financial services sector in response to U.S. Presidential Directive 63 in 1998. Later updated by U.S. Homeland Security Presidential Directive 7 in 2003, mandated that public and private sectors share information about physical security and cyber intelligence threats and vulnerabilities to help protect critical infrastructures. FS-ISAC has expanded globally to address the growing need for this information to be securely shared across boundaries.

WHO CAN I CALL IF I HAVE SPECIFIC QUESTIONS? For specific questions not addressed here or in the supporting materials, contact Robin Reeder at +1 703-641-0005 or


Printer-Friendly Version