Multi-vector: cyber attack + key vendor failure
Multi-vector · Severe but plausible · all 8 in-scope services
A coordinated extortion campaign strikes the sector: while Meridian's SOC contains a credential-stuffing wave against the digital channel, Cardinal Card Network — itself under attack — suspends authorization services regionally. Four hours in, a destructive payload is confirmed inside Meridian's card switch integration tier. The bank fights simultaneous degradation of card authorization, digital banking, and its fraud-screening SaaS, with vendor and bank recovery timelines compounding.
The Examiner persona is read-only — switch to any operating role to launch a live run. The Monte Carlo executes in a Web Worker: the interface stays fully responsive while 10,000 iterations run.
Modal critical path: Cardinal Card Network
Modal critical path: MobileOne Digital Banking
No breach-driving assets identified (service unaffected by this shock set).
No breach-driving assets identified (service unaffected by this shock set).
Modal critical path: CardSwitch Authorization
No breach-driving assets identified (service unaffected by this shock set).
No breach-driving assets identified (service unaffected by this shock set).
No breach-driving assets identified (service unaffected by this shock set).
Firms must test their ability to remain within impact tolerances under severe but plausible disruption scenarios, increasing sophistication over time.
Institutions test critical operations against severe but plausible scenarios, using results to assess whether tolerances would be breached and to remediate weaknesses.
A proportionate testing programme (including advanced threat-led testing for significant entities) validates the entity's ability to withstand ICT disruption.
Banks maintain and test business continuity plans under severe but plausible scenarios to continue delivering critical operations through disruption.
Expectations are paraphrased for demonstration; consult the source instruments for authoritative text.