Cyber and Operational Resilience Table Top Exercises

In 2014, SIFMA organized four separate table top exercises to provide firms with the opportunity to practice their cyber incident response plans and protocols with the goal being to maintain a firm’s ability to operate and conduct business in the face of a cyber attack.

The information below describes the exercise, simulation software package used and how these exercises can help support your firm’s cyber incident response planning.



Analyst and media reports make clear that cyber attacks are becoming increasingly sophisticated, more frequent, and their consequences more dire.  As a result, financial services firms are spending millions of dollars on protection, investigation and remediation, but those costs are small compared to the loss in market capitalization, assets and revenue that can be attributed to investors’ and customers’ loss of trust and confidence in the firm and the industry in general.  As firms are increasing their security budgets on cyber technologies, such as intrusion protection and data-loss prevention to defend their perimeter, determined criminals are also increasing their attack capabilities.

A robust cyber incident response plan is a key foundational element to any effective cybersecurity program; ensuring firms are prepared to act when a successful breach or crisis arises.  However, for that cyber incident response plan to be effective, firms must seek to develop “muscle memory” through regular training and practice.  Applying the firm’s cyber incident response plan to a set of detailed incidents scenarios that allow key decision makers to navigate the impacts in an interactive setting is critical in ensuring a firm is prepared to put their plan into action.

The 2014 Cyber and Operational Resilience Table Top Exercises used the DECIDE-FS® simulation software package, which facilitated the Cyber Security Exercise: Quantum Dawn in 2011, 2013 and again in 2015.  Each exercise was executed in a small team setting, allowing for significant interaction between the facilitators and participants.  The goal of the exercise is for all participants to leave the exercise with both a better understanding of where to improve their plans and also a greater appreciation for how an effective cyber incident response plan can limit the damages of an attack, increase the confidence of key stakeholders and reduce recover time and costs.

Exercise Goals and Objectives

Immerse players from various firms in a structured series of exercises in which:

  • Each firm may self-assess their incident response planning efforts against an escalating series of scenarios
  • Each firm may frame their internal findings and series lessons learned as part of a continuous improvement program to increase cyber and operational resilience

Exercise Essentials

Duration: One-day, 9:00am EST to 3:30pm EST

  • Thursday, March 27, 2014 (COMPLETED)
  • Tuesday, April 22, 2014 (COMPLETED)
  • Tuesday, May 20, 2014 (COMPLETED)
  • Tuesday, June 24, 2014 (COMPLETED)

Note: Registration will close on the date above or if the cap of 20 firms is reached.
Location: SIFMA Offices, 120 Broadway, New York, NY
Cost: $5,500 per participating firm

  • Table top exercise utilizing the DECIDE-FS™ cyber exercise environment
  • All participants in a single location
  • Each firm may have up to 4 players participate in the exercise
  • Each exercise will consist of 3-4 scenarios. Each scenario will be a facilitated, simulation-supported, tabletop exercise
  • Firms will select and participate in scenarios that are most relevant to their situation


  • The scope and execution of the four exercises will be approximately the same; the four dates are meant to allow for more firms to participate and more scheduling flexibility
  • Each exercise can accommodate up to 20 participating institutions
  • The exercise is open to firms of any size within the industry, with exposure to the US equity markets. The scenarios will allow for sell-side, buy-side, exchange and financial utilities to participate

After Action Report: A single after action report will be created that will encompass all the lessons learned from the four exercises. Player confidentiality will be protected and individual firms will be encouraged to document their own lessons learned during the exercise.

Exercise Program

9:00am – 9:30am Introduction, Exercise Ground Rules and Incident Response Plan Overview
9:30am – 10:45am Scenario #1
10:45am – 12:00pm Scenario #2
12:00pm – 12:30pm Break/Lunch
12:30pm – 1:45pm Scenario #3
1:45pm – 3:00pm Scenario #4
3:00pm – 3:30pm Exercise Wrap Up

Preparation Schedule

One of the overall objectives of this exercise is to limit the impact on already stretched information security, cybersecurity and operations resources within the participating firms. To ensure this is the case, we have limited the upfront planning and preparation for participating firms to a single in person meeting or conference call three weeks prior to the exercise for the firm’s designated lead or trusted agent. At this meeting, the participating firms will receive background on the execution of the exercise and select the scenarios to be used.


Each participating firm will contribute a “buy-in” fee in order to cover the scenario planning, software configuration and exercise execution. Each exercise is designed to accommodate up to 20 firms with up to 4 players from each.  Fees will be collected by SIFMA and then passed to Cyber Strategies in order to cover the costs of the exercise.

Participating Firm Requirements

  • All required hardware and software to participate will be provided.
  • Lunch will be provided for all participants.
  • No prior knowledge of the DECIDE-FS® software is required.
  • Simulation support will consist of one DECIDE-FS® terminal per player organization, plus one controller per group of firms to assist with interacting with the software.
  • Each firm must nominate a “trusted agent” who will spend approximately 2 hours on an exercise planning call and approximately 2 hours coordinating activity within their firm to ensure adequate preparation for a successful event.
  • Based on the composition of the scenarios we suggest the firm’s exercise team include the following expertise.
    • Incident Response/Business Continuity
    • Technology Risk/Information Security
    • Equity Market Operations
    • Crisis Communications
    • Legal/Compliance
  • One person can cover multiple areas depending on experience and background.  We feel the cross functional nature of the team will make the play and discussion more robust as we look for areas of improvement.


About DECIDE-FS® Cyber Exercise Environment

Beginning in March 2014, the Finance Sector will be using a new tool designed to enhance the sector’s resilience to cyber attacks and other disruptions. This tool is called the Distributed Environment for Critical Infrastructure Decision-making Exercises – Finance Sector® (DECIDE-FS®). Funded by the Department of Homeland Security, DECIDE-FS® has been developed with extensive participation of about 40 financial institutions including major exchanges, brokerages, banks, associations, and regulators. It is being built to their specifications.

Value Proposition: 
Upon delivery, this tool will be made available to over 5,000 financial institutions, in order to help them find and address weaknesses in their cyber incident response plans and improve their ability to manage cyber incidents under stressful conditions. It will also contribute to their ability to manage operational risk. Among the many firms that could be initial users of DECIDE-FS® are brokerages of varying sizes, exchanges, buy-side firms, clearing firms, and bank holding companies. In short, it is designed to be of value to a variety of firms, each having a different operational profile and business model, as part of an overall market.


DECIDE-FS® augments simple tabletop exercises, to help incident managers improve their company’s resilience to a cyber attack. It is designed for business continuity professionals, incident managers, information security teams, and operations executives. It immerses these managers in a compelling training environment in which they must make stressful decisions in order to maintain a competitive business while also responding to cyber disruptions. DECIDE-FS® delivers these exercises to the desktops of its users; a client need only click on a link in order to access a complete DECIDE-FS® cyber exercise. These exercises, delivered from the cloud, can be tailored easily and cost-effectively to a firm’s operational profile and exercise learning objectives. A single exercise can be accessed simultaneously by groups of players located anywhere in the world. This feature allows globally distributed firms to engage different departments in a single cyber exercise that stresses careful coordination and communication between them. DECIDE-FS® will support cyber exercises designed for single companies, or for groups of companies (up to 60 at a time).