![[OR] [BB] Legal Disclaimer Banner](https://no-cache.hubspot.com/cta/default/3893111/bbedab3d-a991-4956-b3f1-f5d4aa873c6e.png)
CBS-1 Digital Account Access & Management
Introduction
Operational Resilience requires organisations such as Boost Bank to identify and prepare for Severe but Plausible (SbP) Scenarios — events that are extreme in impact yet realistic enough to occur, as described in the BCM Institute blog “[OR] [P2-S4] [1] What is Severe but Plausible Scenarios in Operational
Resilience.”
For CBS-1 Digital Account Access & Management, the focus is on ensuring that customers can securely onboard, authenticate, access, and manage their digital banking services without unacceptable disruption.
The SbP scenarios below integrate Cyber and ICT risks, recognising that digital banking services are highly dependent on secure applications, cloud infrastructure, third-party integrations, and regulatory compliance systems.
![Banner [Table] [OR] [E3] Identify Severe but Plausible Scenarios](https://no-cache.hubspot.com/cta/default/3893111/f4f3c007-e864-48cd-8bc1-0242c8b7fd86.png)
Table P5: Identify Severe but Plausible Scenarios for CBS-1
|
Sub-CBS Code |
Sub-CBS |
Severe but Plausible Scenario |
Impact / Effect |
Proactive Risk Management Action (Evidence of Preparedness) |
Link to Integration of Cyber and ICT Risks |
|
1.1 |
Account Onboarding & Registration |
Large-scale outage of digital onboarding platform due to cloud misconfiguration or DDoS attack during peak campaign |
New customers unable to register; revenue loss; reputational damage; regulatory scrutiny |
Multi-region cloud deployment; DDoS protection; onboarding failover environment; periodic stress testing; onboarding surge capacity testing |
Cyber: DDoS, API exploitation. ICT: Cloud configuration failure, capacity overload |
|
1.2 |
Authentication & Access Control |
Credential stuffing attack exploiting compromised credentials from external breach |
Mass account lockouts; unauthorised access; customer panic |
MFA enforcement; behavioural analytics; bot mitigation; credential monitoring; regular penetration testing |
Cyber: Identity attacks, brute force. ICT: IAM system resilience |
|
1.3 |
Profile & Account Maintenance |
Core banking API failure corrupts customer profile updates |
Incorrect customer data; transaction errors; compliance breaches |
API validation controls; automated reconciliation; rollback mechanisms; change management controls |
Cyber: API tampering. ICT: Integration failure, database corruption |
|
1.4 |
Embedded Banking Integration |
Third-party fintech partner API compromised, leading to data leakage |
Exposure of customer data; regulatory penalties; loss of partner trust |
Third-party risk assessments; secure API gateway; continuous monitoring; contractual security clauses |
Cyber: Supply chain attack. ICT: Third-party system dependency |
|
1.5 |
Security & Fraud Monitoring |
Fraud monitoring system outage due to SIEM platform failure |
Undetected fraudulent transactions; financial loss |
Redundant fraud detection engines; manual fraud review fallback; real-time monitoring dashboards; scenario testing |
Cyber: Advanced persistent threat. ICT: Monitoring infrastructure failure |
|
1.6 |
Password & PIN Reset / Recovery |
Social engineering campaign exploiting weak identity verification in reset process |
Account takeover surge; customer complaints |
Strong identity verification (biometric / liveness checks); rate limiting; staff awareness training; red-team simulation |
Cyber: Social engineering, phishing. ICT: Weak reset workflow controls |
|
1.7 |
Device & Session Management |
Malware bypasses device binding controls allowing session hijacking |
Fraudulent transactions; data compromise |
Device fingerprinting; session timeout controls; encryption; anomaly detection; endpoint integrity checks |
Cyber: Malware, session hijacking. ICT: Session management vulnerabilities |
|
1.8 |
Alerts & Notification Services |
SMS gateway provider outage or compromise |
Customers not alerted to suspicious transactions; delayed fraud detection |
Multi-channel notification (push, email, SMS); dual vendor redundancy; notification monitoring; failover testing |
Cyber: Telecom provider compromise. ICT: Messaging infrastructure outage |
|
1.9 |
Regulatory Compliance & Logging |
Log management system corrupted by ransomware attack |
Loss of audit trail; inability to demonstrate compliance; regulatory sanctions |
Immutable logging; off-site log backup; SOC monitoring; ransomware playbooks; regular restoration tests |
Cyber: Ransomware. ICT: Log server failure |
|
1.10 |
Service Availability & Continuity Management |
Major cloud region outage affecting digital banking platform |
Complete digital access disruption; systemic customer impact |
Active-active architecture; disaster recovery drills; RTO/RPO defined; crisis communication plan |
Cyber: Cloud provider targeted attack. ICT: Infrastructure region failure |
![Banner [Summing] [OR] [E3] Identify Severe but Plausible Scenarios](https://no-cache.hubspot.com/cta/default/3893111/446ccb83-e056-40d0-aae5-834d73c13f43.png)
Identifying Severe but Plausible Scenarios for CBS-1 Digital Account Access & Management enables Boost Bank to anticipate high-impact disruptions arising from cyber threats, ICT failures, third-party dependencies, and operational weaknesses.
By integrating Cyber and ICT risk considerations into each sub-process — from onboarding to service continuity — the bank strengthens its operational resilience posture.
The proactive risk management actions outlined above provide demonstrable evidence that Boost Bank is not merely reactive, but actively stress-testing, monitoring, and improving its digital banking ecosystem to remain within defined impact tolerances under extreme but realistic conditions.
This structured approach ensures customer trust, regulatory compliance, and sustainable digital banking service delivery even under severe disruption scenarios.
For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.
More Information About OR-5000 [OR-5] or OR-300 [OR-3]
To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.
![[BL-OR] [3-4-5] View Schedule](https://no-cache.hubspot.com/cta/default/3893111/d0d733a1-16c0-4b68-a26d-adbfd4fc6069.png)
![[BL-OR] [3] FAQ OR-300](https://no-cache.hubspot.com/cta/default/3893111/f20c71b4-f5e8-4aa5-8056-c374ca33a091.png)
![Email to Sales Team [BCM Institute]](https://no-cache.hubspot.com/cta/default/3893111/3c53daeb-2836-4843-b0e0-645baee2ab9e.png)
