Skip to main content
Annual Tabletop
Try the demo
Menu

For Financial institutions

The IR exercise your FFIEC, NCUA, or NYDFS examiner is going to ask about.

Built for community banks, credit unions, and FinTechs. Every exercise produces an AAR with FFIEC IT Handbook, FFIEC CAT, NCUA ACET, NYDFS 23 NYCRR §500, and GLBA Safeguards crosswalks side by side.

Try the FFIEC demoSee pricing

The problem

Your examiner wants documented IR exercises. Your CAT or ACET maturity rating wants Evolving-or-better evidence. Your 72-hour clock doesn't wait.

FFIEC's Information Security Booklet expects a tested IR plan with documented exercise evidence. NCUA examiners use ACET to score the same. NYDFS §500.16 requires it explicitly, and §500.17(a) gives you 72 hours to notify after a determination. Your insurance underwriter wants proof of an annual exercise. The traditional answer is a $40K consultant once a year. Annual Tabletop is the AI exercise director that produces examiner-ready evidence on your timeline — quarterly if you want — at a fraction of the consultant cost.

Why Annual Tabletop fits

Built for financial institutions — not retrofitted from an enterprise SOC tool.

  • Capability 01

    Every FI framework crosswalked in one AAR.

    FFIEC IT Handbook (Information Security, BCM, Architecture & Operations), FFIEC CAT, NCUA ACET maturity domains, NYDFS 23 NYCRR §500.16/500.17, GLBA Safeguards Rule, plus SOC 2 and PCI DSS where they apply. One exercise. Every examiner gets what they need.

  • Capability 02

    Designed around the dual-clock reality.

    Wire-fraud injects exercise the SAR / Reg E recall window and the NYDFS 72-hour notification window in the same session. Your IR team gets repetitions on the decisions that actually matter on the day.

  • Capability 03

    Examiner-ready AAR — and AI moves you up the maturity scale.

    The AAR is built to drop into your CAT/ACET workpapers. Annual cadence puts you at Baseline. Quarterly cadence — affordable for the first time — moves you toward Evolving and Intermediate. Your maturity rating is no longer gated by your facilitation budget.

Scenarios for Financial

3 scenarios tuned to your environment.

Framework crosswalks: FFIEC IT Handbook, FFIEC CAT, NCUA ACET, NYDFS 23 NYCRR §500, GLBA Safeguards

Browse the full library
  • Payments Fraud / ACH OriginationAdvanced

    ACH Payments-Rail Fraud — The Originator Your Examiner Calls First

    An originating depository financial institution discovers a batch of fraudulent ACH credits already settled to mule accounts at a downstream bank. Walk the NACHA Rule 2.5 reversal sequence, the FFIEC IR chain, and the FinCEN SAR clock under live financial pressure.

    • FFIEC IT Handbook
    • FFIEC CAT
    • NACHA Operating Rules
    • NYDFS 23 NYCRR §500
    Try in demo
  • Business Email Compromise / Wire FraudIntermediate

    FFIEC Wire Fraud — The Examiner's Favorite FI Tabletop

    A community bank's wire room authorizes a $2.3M outbound after a spoofed CEO thread. Walk the FFIEC IT Handbook IR sequence, hit the NYDFS 72-hour clock, and produce the evidence packet your examiner asks for.

    • FFIEC IT Handbook
    • FFIEC CAT
    • NCUA ACET
    • NYDFS 23 NYCRR §500
    Try in demo
  • Business Email CompromiseIntro

    Wire Fraud via BEC — The Auditor's Favorite SMB Scenario

    A finance lead authorizes a $187K wire to a 'new vendor' after a CEO email thread that turns out to be a BEC. Run the response your SOC 2 / cyber-insurance underwriter wants documented.

    • SOC 2 CC7.4/CC7.5
    • HIPAA §164.308
    • FFIEC
    • PCI 12.10
    Try in demo

Sample AAR

Sample community-bank AAR. FFIEC + NCUA + NYDFS §500 crosswalks. Decisions captured against your wire-room runbook, your SAR-filing path, and your NYDFS notification timeline.

The AAR is the artifact. It's what your FFIEC / NCUA / NYDFS examiner actually reads. Every Annual Tabletop exercise produces one.

Download sample AAR (PDF)How AARs work

After-Action Report

Financial institutions — Sample Exercise

Conducted via Annual Tabletop · 60 minutes · FFIEC IT Handbook, FFIEC CAT, NCUA ACET, NYDFS 23 NYCRR §500, GLBA Safeguards

Scenario
Constrained-decision injects tuned to a Financial environment.
Decisions captured
Three time-boxed decisions, scored against your plan. Each maps to a framework control in the AAR.
Framework crosswalk
FFIEC IT HandbookFFIEC CATNCUA ACETNYDFS 23 NYCRR §500GLBA Safeguards

Pricing

FI pricing — examiner-driven, not enterprise-tier-priced.

Financial Institutions tier pricing is published. Annual contract, full FFIEC / NCUA / NYDFS framework library, custom inject creation for your wire-room runbook, and the AAR template your examiner asks for.

See FI pricing

FAQ

Financial institutions — questions we get

  • Will my FFIEC examiner accept the AAR as IR exercise evidence?
    Yes. The AAR is built around the FFIEC IT Examination Handbook Information Security Booklet IR section. Captured decisions, timestamps, participants, and the framework crosswalk are all present. Examiners get exactly what the booklet asks for.
  • Does the FFIEC CAT or NCUA ACET get a real lift from this?
    Yes — your IR-related declarative statements move from Baseline (no exercise) toward Evolving / Intermediate (regular tested IR with documented improvement). The AAR includes a CAT/ACET-style summary section your team can paste into their next assessment.
  • Does it cover NYDFS 23 NYCRR §500?
    Yes. §500.16 (IR plan) and §500.17(a) (72-hour notification) are explicitly exercised. Wire-fraud and ransomware scenarios both walk the determination → notification clock so your CISO has muscle memory before the day they need it.
  • What about GLBA Safeguards Rule notifications?
    The May 2024 amendment requiring notice to FTC for incidents affecting 500+ consumers is in scope. The AAR captures the notification decision and the rationale — exactly what an FTC investigator looks for.
  • Can our cyber-insurance carrier use the AAR for renewal?
    Yes. Carriers increasingly require an annual tested IR plan, and increasingly require quarterly testing for higher coverage limits. The AAR is the artifact. The cover sheet is built to be forward-able.
  • How long is a session?
    60–90 minutes for the exercise itself. The AAR is generated in the session — your CISO leaves with the evidence packet in hand.

Run a FFIEC-conformant exercise this quarter — without the consultant invoice.

Try the FFIEC demoSee FI pricing