Cybersecurity Exercise: Quantum Dawn VII

Quantum Dawn VII demonstrated the industry’s preparations for an incident effecting a critical third party, a scenario which is timely given recent sector events that resulted in the loss of several critical third parties impacting the financial sector.

SIFMA worked with Protiviti to release an After-Action Report with takeaways and key recommendations from the Quantum Dawn VII cybersecurity exercise aimed to strengthen public and private sector-wide communications and information-sharing mechanisms, crisis management protocols, and decision-making, as well as legal and regulatory considerations, as exercise participants responded to and recovered from the scenario presented.

Those recommendations include:

• Firms should continue to consider the impact of longer-term outages of their critical third parties.
• Firms should continue to improve their response and recovery processes around the long-term loss of a critical third party.
• Firms are encouraged to seek industry coordination and collaboration during major outages.

From November 14 to 16, 2023, more than 1,000 participants from both the public and private sectors, representing over 170 financial institutions across more than 20 countries, participated in the Securities Industry and Financial Markets Association (SIFMA)’s global Quantum Dawn VII exercise. The goal of the exercise was to simulate operational impacts to financial firms, critical third parties and the global financial ecosystem, improve crisis and incident management response and recovery plans, and strengthen global coordination and information sharing mechanisms necessitated during significant operational outages such as a cyber incident.

The intent of the exercise was to strengthen public and private sector-wide communications and information-sharing mechanisms, crisis management protocols, and decision-making, as well as legal and regulatory considerations, as exercise participants responded to and recovered from the outage of a critical third party used by the financial sector to trade in the U.S. Treasury and repo markets. Additionally, Quantum Dawn VII achieved the following key objectives:

• Incorporated after actions and lessons learned from Quantum Dawn VI (2021), as well as recent disruptions including third-party outages and ransomware attacks.
• Provided a platform for member firms to assess their ability to respond to and recover from an outage of a critical third party hosted in the cloud that is widely used by the financial sector to trade, clear and settle in the U.S. Treasury and repo markets.
• Allowed financial firm participants to think through their preparations for a long-term outage of a critical third party.
• Reviewed with Global Directory members SIFMA’s role to share information on management of cybersecurity attacks and critical third-party outages.
• Provided a forum for financial firms to strengthen internal incident response and crisis management playbooks.

In addition to the registered participants, many organizations gathered their internal crisis and incident management teams in “war rooms” to take part in the discussions. Most participants surveyed (about 62%) were individuals aligned with the first line of defense (information security/business resilience/crisis management) within their respective organizations, while approximately 22% were associated with the second line of defense (operational resilience/legal/compliance/operations/risk management). Almost half (~44%) had management job titles.

Quantum Dawn VII took place from November 14 to 16, 2023.

The simulation included an outage taking the form of a data disruption event at a fictional critical third party (“CTP”) hosted in the cloud and used by the global financial sector to trade in the U.S. Treasury and repo markets. During the simulation, participants were polled on a series of questions, which provided significant insight into the industry’s capabilities for addressing major third-party disruptions. These key findings form the basis of this after-action report:

• A majority of participants (75%) reported having experienced the loss of a critical third party, demonstrating that these outages are not unusual. Ninety-eight percent of firms have developed and maintain response and recovery plans for their critical third parties, and 80% of firms state their plans can account for outages lasting 24 hours or more.
• Information sharing is widespread and involves senior leadership and the board level. Participants demonstrated well-developed and diverse communication plans both internally and externally with stakeholders and industry peers.

• Quantum Dawn I & II: In November of 2011 and July 2013 the financial services sector, in conjunction with service provider Norwich University Applied Research Institutes (NUARI), organized two market-wide cybersecurity exercises called Quantum Dawn I and Quantum Dawn II, respectively. Those events provided a forum for participants to exercise risk practices across equities trading and clearing processes and market closure protocols in response to a systemic attack on market infrastructure.
• Quantum Dawn III: Whereas Quantum Dawn II focused on exercising procedures for informing decision making for closing the equity markets, Quantum Dawn III, held September 2015, focused on exercising procedures to maintain market operations in the event of a systemic attack. Participants first experienced firm-specific attacks, followed by rolling attacks upon equity exchanges and alternative trading systems that disrupted equity trading without forcing a close. The concluding attack centered on a failure of the overnight settlement process at a clearinghouse.
• Quantum Dawn IV: Held in November 2017, Quantum Dawn IV used service providers NUARI (Norwich University Applied Research Institutes), its latest version of the DECIDE FS, and the SimSpace Corporation’s Cyber Range software for the simulation and execution of the exercise. In a change from previous exercises, Day 1 of Quantum Dawn IV provided a real-life “hands-on-keyboard” exercise for participating institutions to test their technical cyber response capabilities. Day 2 involved participants engaging in a sector-wide simulation to test their crisis response, communication, and coordination capabilities that revolved around a simulated “bad day” on Wall Street in which a large-scale targeted cyberattack is made against numerous financial institutions and news organizations, with rolling impacts for the sector, markets, and customers.
• Quantum Dawn V: Held in November 2019, was a global exercise that enabled key public and private bodies around the globe to practice coordination and exercise incident response protocols, both internally and externally, to maintain smooth functioning of the financial markets when faced with a series of sector-wide global cyberattacks. The exercise helped identify the roles and responsibilities of key participants in managing global crises with cross-border impacts. The exercise scenario emphasized cross-jurisdiction communication and coordination between member firms and regulatory agencies in North America, Europe, and Asia.
• Quantum Dawn VI: Held on November 18, 2021, more than 1,000 participants from both the public and private sectors, representing over 240 financial institutions across 20 countries, participated in SIFMA’s global Quantum Dawn VI exercise. The industrywide exercise simulated a large-scale ransomware attack by a state actor against several major global financial institutions and regulatory bodies.

Quantum Dawn VII is just one component of how SIFMA is working with its members on a variety of cybersecurity initiatives, including:

• Promoting enhanced regulatory harmonization to encourage a more effective allocation of cyber resources
• Promoting a robust industry-government partnership grounded in information sharing
• Designing exercises and industry tests to improve protocols for incident preparedness, response and recovery
• Using the lessons learned to refine industry best practices, including for managing insider threats, third party risk; penetration testing and data security, including secure data storage and recovery.

Learn more with these additional resources: 

• SIFMA Cybersecurity Resource Center
• SIFMA Cybersecurity Resources

If you have a media inquiry, please contact Katrina Cavalli at 212.313.1181.