Cyberange

Insights DFIR

MFT vendor goes dark, NACH starts in two hours

A field-IR debrief on the operational pattern every BFSI CISO should rehearse — a managed-file-transfer vendor takes their portal down for an unscheduled incident response and the bank has 102 minutes to NACH settlement. What we did, in order.

By Cyberange DFIR Published 01 May 2026
  • DFIR
  • BFSI
  • MFT
  • NACH
  • supply chain
  • incident response

Sample post — full content pending. Real IR engagement; anonymised. Build out the timeline once the bank’s communications team signs off on the public version.

The two-hour window

NACH settlement runs on a fixed daily clock. When a managed-file- transfer vendor pulls their portal offline for an unscheduled incident response, every bank with a counterparty file landing in that portal has a finite window — typically 90 to 120 minutes — before settlement obligations are missed. This is a pattern, not a one-off, and the response runbook has to exist before the call comes in.

What this post will walk through

  • T+0 sec — the call from the vendor. What was said. What was not said.
  • T+4 min — confirming impact internally. The minimum-viable scope: which counterparties, which file types, which settlement windows
  • T+12 min — the regulator notification call (and why the call goes out at T+12, not T+50)
  • T+22 min — the fallback channel — SFTP, encrypted email, courier — and the operational discipline that has to exist before the day a fallback channel is needed
  • T+45 min — pre-emptive customer communication. The legal review window collapses to single-digit minutes on a settlement clock
  • T+85 min — the “missed” decision. Who decides. How the decision is logged.
  • T+102 min — settlement closes. Post-mortem starts.

The runbook this engagement produced

[Five sections, one per phase. Each phase includes named roles (CISO, head of ops, head of legal, regulator liaison), the specific call sequence, and the artefacts that go into the audit record afterwards.]

Three things most banks get wrong

  1. The fallback channel is theoretical. When the day comes, nobody at the counterparty has the credentials to receive a file through a channel that hasn’t been exercised in eight months. Quarterly drill on the fallback or it doesn’t exist.
  2. The regulator call goes out too late. The CERT-In six-hour window does not mean wait six hours. It means report within six hours. The optimal call is at T+10 to T+15 — when impact is confirmed and the response is in motion.
  3. The customer communication is written from scratch. It shouldn’t be. Three or four templates per scenario, pre- approved by legal, sit in the runbook. The call is which one goes out, not what it says.

What the drill looks like

[Description of the Phygital Range scenario that mirrors this exact pattern. Twenty minutes. Six roles. Live regulator-call simulation with a CERT-In liaison observing.]

Authoring notes — wait for the bank’s public statement before naming roles or counterparties. Until then this stays at the pattern-level. The runbook itself can be published in full — the bank has consented.

Back to Insights Pitch a post →