Perform Scenario Testing
CBS-10 – Self-service Terminal
Introduction
Scenario testing is a vital component of Maybank’s operational resilience strategy, ensuring that critical business services (CBS), such as self-service terminals, remain functional under severe yet plausible conditions.
By designing and executing scenario-based tests, Maybank validates its preparedness to withstand disruptions, minimise customer impact, and comply with regulatory expectations.
For CBS-10: Self-service Terminal, the testing scope spans authentication, withdrawals, deposits, system activation, availability, security, and customer support. Integration with cyber and ICT risk considerations ensures proactive resilience in an increasingly digital banking environment.
Table: Scenario Testing for CBS-10
|
Sub-CBS Code |
Sub-CBS |
Recommended Scenario Testing |
Integration of Cyber & ICT Risks |
Evidence of Proactive Risk Management Action |
|
10-1 |
Authentication & Access |
Simulate large-scale failures in biometric/PIN authentication caused by a system bug or cyberattack. |
Test against credential theft, malware injection, or brute-force login attempts. |
Deployment of multi-factor authentication, fraud monitoring alerts, and incident response drills. |
|
10-2 |
Withdrawal (Card & Contactless) |
Stress-test withdrawal limits under system overload or cash-dispensing errors. |
Cyber risk of ATM malware or card skimming devices disrupting withdrawal accuracy. |
Regular ATM penetration testing, anti-skimming technology installation, and cash reconciliation controls. |
|
10-3 |
Deposit & Inquiry |
Validate resilience when deposit recognition systems malfunction (e.g., due to counterfeit-detection errors). |
ICT failures in the real-time posting of deposits to the core banking system. |
Redundant system checks, automated reconciliation, and regular vendor assurance reviews. |
|
10-4 |
Activation & Setup (Cash-out) |
Test new card activation and setup failure during high-volume onboarding. |
Potential API integration issues with core banking or mobile apps. |
Pre-production testing, rollback protocols, and third-party risk assessments. |
|
10-5 |
Availability Management |
Simulate a widespread ATM network outage due to telco disruption or data centre downtime. |
ICT dependency on telecommunications, power, and server availability. |
Dual-site data centre resilience, backup power, and telco redundancy. |
|
10-6 |
Security & Resilience |
Test coordinated cyber-attack targeting ATMs (e.g., jackpotting or ransomware). |
Integration with SOC monitoring and DDoS attack simulations. |
Advanced threat detection, red team exercises, and patch management cycles. |
|
10-7 |
Customer Support & Recovery |
Assess customer support response during prolonged ATM downtime. |
Phishing or spoofed helplines targeting customers during an outage. |
Crisis communication playbooks, customer notification systems, and staff awareness training. |
Table: Scenario Testing Playbook for CBS-10
|
Sub-CBS Code |
Sub-CBS |
Testing Objective |
Test Scenarios |
Success Criteria |
Testing Frequency |
|
10-1 |
Authentication & Access |
Ensure secure and resilient customer access to self-service terminals. |
• Simulate large-scale PIN/biometric failure due to a system glitch. • Conduct cyber-attack simulation (brute-force, credential theft). |
• Authentication fallback works (e.g., secondary channel). • No unauthorised access detected. • Incident contained within SLA. |
Semi-annually |
|
10-2 |
Withdrawal (Card & Contactless) |
Validate withdrawal reliability under stress and malicious attempts. |
• Stress test ATMs with high withdrawal requests. • Simulate a card-skimming attack or malware insertion. |
• Cash dispensed accurately and reconciled. • Fraud attempts detected by monitoring systems. • No systemic outage. |
Quarterly |
|
10-3 |
Deposit & Inquiry |
Confirm accurate deposit processing and the availability of inquiries. |
• Simulate system failure in deposit recognition (e.g., counterfeit note). • Delay posting of deposit into core banking. |
• Deposits reconciled without loss. • Customer accounts updated within SLA. • Customer inquiries handled. |
Annually |
|
10-4 |
Activation & Setup (Cash-out) |
Ensure robust card activation and setup process under load. |
• High-volume new card activations are causing API failure. • Test rollback mechanism during activation failure. |
• Successful fallback/rollback activation. • No customer data loss. • Core banking integration is stable. |
Annually |
|
10-5 |
Availability Management |
Test the resilience of the ATM network during large-scale outages. |
• Simulate complete ATM network outage (telco or data centre disruption). • Test switchover to backup sites. |
• Service restored within defined impact tolerance. • Alternative channels (mobile/branch) available. |
Semi-annually |
|
10-6 |
Security & Resilience |
Strengthen protection against targeted attacks. |
• Red team exercise on ATM jackpotting. • Simulated ransomware on the ATM network. |
• Attack detected within SOC SLA. • Customer data uncompromised. • Recovery time within defined tolerance. |
Semi-annually |
|
10-7 |
Customer Support & Recovery |
Validate customer recovery experience and crisis communication. |
• Simulate prolonged ATM downtime (regional). • Test phishing/spoofed helpline attempts during outage. |
• Customer helpline is functional and accessible. • Phishing attempts detected and blocked. • Communication aligned to playbook. |
Quarterly |
This playbook provides Maybank with a structured framework for conducting scenario testing consistently across CBS-10.
It balances operational resilience objectives, cyber risk integration, and regulatory compliance.
![[BCM] [Thin Banner] Summing Up](https://blog.bcm-institute.org/hs-fs/hubfs/BCM%20Generic%20Banner/%5BBCM%5D%20%5BThin%20Banner%5D%20Summing%20Up.png?width=1920&height=250&name=%5BBCM%5D%20%5BThin%20Banner%5D%20Summing%20Up.png)
Performing scenario testing for CBS-10: Self-service Terminal enables Maybank to identify vulnerabilities across processes, technologies, and dependencies while reinforcing resilience measures.
Each sub-CBS test integrates cyber and ICT risks, ensuring that resilience planning extends beyond operational continuity into digital and cyber resilience.
Proactive risk management actions, such as penetration testing, redundancy planning, and staff training, provide tangible evidence of readiness.
Ultimately, scenario testing builds confidence that Maybank can sustain customer trust and service delivery even in severe but plausible disruptions.
Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.
More Information About OR-5000 [OR-5] or OR-300 [OR-3]
To learn more about the course and schedule, click the buttons below for the [OR-3] OR-300 Operational Resilience Implementer course and the [OR-5] OR-5000 Operational Resilience Expert Implementer course.
![[BL-OR] [3-4-5] View Schedule](https://no-cache.hubspot.com/cta/default/3893111/d0d733a1-16c0-4b68-a26d-adbfd4fc6069.png)
![[BL-OR] [3] FAQ OR-300](https://no-cache.hubspot.com/cta/default/3893111/f20c71b4-f5e8-4aa5-8056-c374ca33a091.png)
![Email to Sales Team [BCM Institute]](https://no-cache.hubspot.com/cta/default/3893111/3c53daeb-2836-4843-b0e0-645baee2ab9e.png)
