Handrails
Banking, insurance & fintech

Your plans don't fail on paper. They fail under pressure.

Run real-world simulations across cyber, operational and supplier failure events.

What if the entire exercise, from scenario to regulator-ready report, took less than 60 minutes? You could run it this week.

Get startedSee how it works

Mapped to CPS 230 · DORA · PRA SS1/21 · SEC · NYDFS · and more

Report · regulator-ready
Live
Report · CPS 230 · DORA Art. 19Ready
Impact-tolerance callFallback invoked at minute 42
Regulator notificationTemplate submitted inside window
Third-party contract invocationClause reference disputed live
Board-observer readoutClean 3-bullet summary
Customer holding statementNo pre-approved draft
What's changed

Why now

01

Boards want resilience metrics, not just plans

Audit committees ask if the impact tolerance was tested, not whether it's documented. Tabletops produce the evidence they actually want to see.

02

Continuous testing is the new standard

Regulators globally have moved the bar from annual rituals to continuous cadence. The SEC cyber rule, CPS 230, PRA SS1/21 and DORA all point the same way.

03

Third parties are where plans fail first

CPS 230 §43-46 and DORA Articles 28-30 require tested exit strategies for critical ICT providers. Most fail the first time they're rehearsed.

Says who

The frameworks behind every board report, regulator visit and resilience review

Every exercise maps to a real clause your regulators, boards and auditors are asking about.
SEC
Crisis ManagementUS SEC
4 business days from materiality determination
17 CFR 229.106 + Form 8-K Item 1.05

Item 106 covers cybersecurity governance and risk-management disclosure. Item 1.05 requires disclosure of a material cybersecurity incident within four business days of materiality determination.

If skipped: SEC enforcement, shareholder litigation, restated disclosures.
NYDFS
Incident Response
Annual senior-officer certification by 15 April
23 NYCRR Part 500 · §500.16

Written incident response plan plus annual senior-officer certification. The IR plan must be tested and revised periodically.

If skipped: Multi-million-dollar consent orders.
CPS 230
Business ContinuityAPRA + FAR
At least annually
Prudential Standard CPS 230 · §41-45

APRA-regulated entities must test their business continuity plans at least annually with severe-but-plausible scenarios across critical operations and material service providers. CPS 230 took full effect on 1 July 2025. The Financial Accountability Regime (FAR) extends individual accountability obligations across banking, insurance and superannuation.

If skipped: Supervisory intervention, capital add-ons, FAR consequences for accountable executives.
Also in scope

Don't see yours above?

Handrails covers more than the three above. If your framework is listed here, or you don't see it at all, let us know.

  • PRA SS1/21 + FCA PS21/3 (UK)
    Identify important business services, set impact tolerances, run scenario testing. Three-year transition closed 31 March 2025. Annually plus on material change. If skipped: s.166 skilled-persons review, unlimited fines, individual sanctions under SMCR.
  • DORA (EU)
    Regulation (EU) 2022/2554 Articles 24-25. Regular testing of the ICT risk management framework and digital operational resilience, including scenario-based exercises. At least annually; TLPT every 3 years for designated entities. If skipped: supervisory findings, remediation deadlines, administrative penalties under Art. 50.
Interested in any of these, or don't see yours? Let us know
How it works

From scenario to regulator-ready report, in under 60 minutes.

Weeks of planning. Hours of facilitation. Days more for the report. Handrails compresses the whole thing into under 60 minutes.
1Context in
Context
SectorRegional bank · $14bn AUM
RegulatorsAPRA · OCC · ECB · DORA
FrameworksCPS 230 · ISO 22301
Critical ICTCore banking · card network
PolicyOperational resilience
Impact tolerancePayments < 2h
SectorRegional bank · $14bn AUM
RegulatorsAPRA · OCC · ECB · DORA
FrameworksCPS 230 · ISO 22301
Critical ICTCore banking · card network
PolicyOperational resilience
Impact tolerancePayments < 2h
ScenarioCore banking outage
RoomCRO · CISO · Ops · Treasury · Board obs
ClockDORA Art. 19 · severe incident
EvidenceCPS 230 attestation pack
BoardQuarterly scorecard
CadenceAnnual + severe-but-plausible
ScenarioCore banking outage
RoomCRO · CISO · Ops · Treasury · Board obs
ClockDORA Art. 19 · severe incident
EvidenceCPS 230 attestation pack
BoardQuarterly scorecard
CadenceAnnual + severe-but-plausible

Built around your context

Answer a few questions about your setup, including your industry, critical functions, third parties and regulator footprint. The scenario is tuned to the obligations actually in scope, not a generic template. Hours of consultant prep, designed in minutes.

2Virtual session
Live · virtual47:32
Holly, the Handrails AI agent, facilitating a session
Speaking
Holly · Handrails AI
Priya · CRO, participantPriya · CRO
Marco · CISO, participantMarco · CISO
Transcript
Holly

Run it live, virtually

Your team joins a video call. First, second and third line in the same call; the incident commander makes the calls; risk and audit observe; a board rep attests. The recording is the evidence stream. Scheduling is the only setup.

3Report out
Report · CPS 230 · DORA Art. 19Ready
Impact-tolerance callFallback invoked at minute 42
Regulator notificationTemplate submitted inside window
Third-party contract invocationClause reference disputed live
Board-observer readoutClean 3-bullet summary
Customer holding statementNo pre-approved draft

The report is ready before you close the call

Results generated in minutes, logged against your internal policies and what regulators demand. See areas for improvement and re-run quarterly to show the improvement curve regulators and boards now want to see.

Example scenarios

Tailored, not templated

Every scenario is generated from your context, not chosen from a library. Based on your frameworks, critical functions, third-party dependencies, even the plans and policies you upload. Three lightweight examples below.
01Scenario

Core banking platform outage

Critical service provider loses a region during end-of-month. CPS 230 critical-operations tolerance breach, FAR accountable-executive engagement, customer comms, failover decisions, board update on a 2-hour clock. DORA Art. 17 onwards major-incident reporting applies for EU operations.

02Scenario

Material cyber incident

Privileged credential exfiltrated overnight. Materiality determination, four-business-day disclosure clock under SEC Item 1.05, drafting the 8-K, NYDFS 72-hour parallel notification, APRA CPS 234 information-security-incident notification.

03Scenario

Third-party / MSP failure

A material service provider suspends service. CPS 230 §43-46 critical-service-provider obligations, exit strategy invocation, APRA notification, customer SLA management. DORA Art. 28-30 contract clauses for EU operations.

Partner with Handrails

Be the partner that makes compliance feel easier for your clients.

For most GRC consultancies, operational-resilience advisors and vCISOs working in financial services, tabletop exercises are the most time-consuming deliverable in any resilience engagement. Days of scenario prep, hours of facilitation, more hours producing a regulator-ready report. Handrails can now carry that load for you. Stay in the advisory role your clients need you in, run more engagements, and earn on every session.
Revenue share, every cycle
Get paid on every session your clients run.
Regulator-ready evidence
Reports pre-map to DORA Art. 24-25, CPS 230, PRA SS1/21, FFIEC BCM and NYDFS 500.16. One scenario set, jurisdiction-specific evidence packs.
Reports written for you
Don't spend hours writing up board and regulator-ready evidence. Handrails delivers it in minutes, straight from the session.
Already working withGRC & resilience consultanciesOperational-resilience platformsFS-specialty cyber brokers & carriersAudit committees & board advisers
Partner with Handrails

Run your first financial services exercise this week.

Sign up, pick a scenario, invite the team. The report is ready before the session ends.

Get startedSee how it works