Global payment companies held their first joint cybersecurity war games to test their systems’ readiness for simultaneous attacks, uncovering differences in their defenses including even how to define a crisis.
JPMorgan Chase & Co., Mastercard Inc., American Express Co., WorldPay Inc. and Fidelity National Information Services Inc. were among the 18 payment processors from the U.S. and the U.K. that took part in the exercises, which were held Oct. 5 at IBM’s test center in Cambridge, Massachusetts. Some of the findings were shared with Bloomberg News in advance of a conference in Atlanta Wednesday.
Financial firms have led spending on cybersecurity as high-profile attacks exposing customer data and theft of funds raised pressure on the industry. Executives and regulators are concerned that a systemic attack on the plumbing of the financial system could disrupt the global economy, and cooperation between the industry and government agencies is increasing.
“We put competitors in the same room together, which initially they were hesitant to do,” said Rob Johnston, chief information security officer for FIS and one of the organizers. “But they realized pretty fast how valuable such a gathering is. When there are multiple breaches in an organized attack, it’s better to coordinate the response.”
The participants discovered that they had varying definitions of a crisis related to breaches as well as differing approaches in how they reach out to law enforcement. Agreeing on a common definition and streamlining cooperation with government agencies will be goals for the payments industry, Johnston said. The sector will also seek a more formal way of sharing information on threats, he said.
Some of the payments firms are members of the Financial Services Information Sharing and Analysis Center, known as FS-ISAC, a forum for banks, broker-dealers and insurance companies to share data on threats. Banks and brokerage firms have been holding cyber war games regularly since 2011, testing the U.S. capital markets’ readiness for attacks.