Last October, nearly four dozen banks in Hong Kong confronted a nightmare "stress test" scenario: a pandemic that swept through the city, followed by a major cyberattack and a telecoms breakdown.
In the simulation, a fast-spreading disease led to as much as a third of the workforce not showing up, and the electronic chaos disrupted what remained of everyday operations. Months later, part of that hypothetical came true as the then-unnamed SARS-CoV-2 exploded onto the scene.
"The actions that we are taking to deal with the coronavirus are very close to the simulated exercise," said one executive at an international bank who was involved in the event. "That also dealt with a cyberattack, but at this point - thankfully - we only have one crisis."
Coronavirus has killed more than 1,300 people
The coronavirus has killed more than 1,300 people worldwide and infected more than 60,000, mostly in mainland China. There has been one death from more than 40 infections in Hong Kong, a financial services centre with assets worth $6 trillion. About 30% of bank branches have closed.
In real life, as in the exercise, financial institutions in Hong Kong have allowed staff to work from home and dispersed others to different offices. One senior banker at a large European bank in Hong Kong said the absentee rate due to the coronavirus was much lower than in the simulation.
The banker, who is involved in forming his institution's response to the virus, said the simulated cyber attack pushed his employer to reconsider how it handled sensitive documents when staff were working from home on less secure systems. After the exercise, his bank sought approval from the Hong Kong Monetary Authority (HKMA) to allow more for documents to be signed digitally - and implemented that plan when the coronavirus hit, he said.
"In October, practising for a virus seemed crazy given the political protests going on outside, but not now," said another person involved in the exercise, which was arranged by an industry group and observed by local regulators. Participants in the "stress test," code-named Whole Industry Simulation Exercise, or WISE, spoke on the condition of anonymity as they were not authorized to talk to the media.
The scenario consisted of a swine flu pandemic originating in Indonesia, jumped to humans and moved to Hong Kong, followed by internet connectivity issues and a cyberattack by insiders at one bank, angry at being forced to work during the pandemic. The four-hour-long exercise - which did not pass, fail or grade participants - involved crisis-management teams from 42 banks, including HSBC, Morgan Stanley, JP Morgan and Goldman Sachs.
Teams in each bank's offices were sent information about the evolving situation every 10 minutes. A fourth participant, from a Wall Street investment bank, said his team had approximately 20 people and included legal, communications and technology staff, plus several chief operations officers.
As the exercise unfolded, participants were sent regular updates in the form of news videos, a "ticker" showing market movements, and social media posts - some of which contained false information. Participants wrote news releases and policy statements to simulate their crisis communications strategies, which the other banks could see.
"The simulated exercise dealt with a scenario which was changing every five minutes, but the actual reality is a little more balanced. We are getting updates each day on how the situation with the virus is evolving," said the first banker. The United States and Britain have run similar exercises, called QUANTUM DAWN and WAKING SHARK, respectively.
Banks in the exercise found that having staff work remotely because of the virus, while necessary, left them exposed in other areas such as cybersecurity and fraud control.
Nearly half of the participants said afterwards that they found the pandemic and absenteeism the least challenging part of the exercise on their own. But the infrastructure outage and insider cyber attack complicated matters.
"We tried to force the participants to manage a degradation of their capabilities, and then respond to a cyberattack when they already had staff working from home, had introduced social distancing and were managing potential reputational damage due to their response to the pandemic," said Ben Wootliff, a partner at Control Risks, a consultancy that helped run the exercise.
An HKMA spokeswoman said precautionary measures taken so far amid the coronavirus outbreak "form part of the banks' business continuity plans, which have been subject to periodic drills to ensure their effectiveness."
Nonetheless, the bankers warned that mitigation efforts could only do so much. "Despite all the preparedness, the real impact of the current situation will, however, depend on how long the outbreak will continue and what will be the overall impact on clients and their businesses," said the European bank executive.