Release Date: November 23, 2015
Contact: Liz Pierce, 212-313-1173, [email protected]

SIFMA Announces Key Findings of the Quantum Dawn 3 Cybersecurity Exercise  

Washington, DC, November 23, 2015 – SIFMA today published a summary of the key findings derived from its Quantum Dawn 3 cybersecurity exercise held on September 16, 2015. This After-Action Report was developed by Deloitte Advisory Cyber Risk Services. SIFMA engaged Deloitte Advisory to serve as an objective observer of the exercise and assist in identifying key takeaways and recommendations for enhancing the financial services sector’s protocols for responding to a large-scale cyberattack.

Over 650 participants from over 80 financial institutions and government agencies participated in this exercise, including key industry and government partners such as the U.S. Department of the Treasury, Department of Homeland Security, Federal Bureau of Investigation, federal regulators and the Financial Services Information Sharing and Analysis Center (FS-ISAC).

During Quantum Dawn 3, participants first experienced firm-specific attacks, such as a distributed denial of service (DDoS), a domain name system (DNS) poisoning or breach of personally identifiable information (PII). These attacks were followed by rolling attacks upon equity exchanges and alternative trading systems that disrupted equity trading without forcing a close. The concluding attack centered on a failure of the overnight settlement process at a clearinghouse.

“A large scale cyber attack that broadly impacts the financial services sector and the U.S. economy is a low probability, high impact event that the industry prepares for along with other possible crisis events. The goal of the Quantum Dawn exercises is to identify specific areas where the industry can improve its cyber protocols, which in turn informs SIFMA’s ongoing work with its members to develop and refine best practices,” said Kenneth E. Bentsen, Jr., SIFMA president and CEO. “We are encouraged by the industry’s progress in cybersecurity preparedness and response since the 2013 Quantum Dawn 2 exercise, yet we know that this work is never done. The After-Action report findings highlight the importance of enhanced information sharing and coordination among the public and private sectors in mitigating threats.”

“The importance of preparing for a systemic cyberattack cannot be understated.  When a company is faced with a cyber incident, the impact can be very serious; but it’s important, especially in critical infrastructure sectors like financial services, to recognize that attacks may not be isolated to one organization.  That’s why testing cyber security, vigilance, and resilience across the sector is essential,” said Ed Powers, US Leader for Deloitte Advisory Cyber Risk Services. “We were pleased to see the growth of Quantum Dawn 3 with more than 80 financial institutions participating and engaging with information sharing bodies, federal investigators and regulators. We applaud SIFMA for their important work in orchestrating this on-going test of cyber preparedness.”

The After-Action Report highlighted positive behaviors identified by Quantum Dawn 3, including:

• Institutions were able to identify and leverage internal and external capabilities in responding to the market-wide cyber-attacks.
• More than 80 organizations built muscle memory within their crisis response by exercising DDoS mitigation, DNS attack coordination and data breach assessment and communication.
• Institutions, along with the FS-ISAC, the FBI, and regulators, enhanced their working relationships and exercised the public/private partnership that will be required to respond to a large-scale attack.
• The FS-ISAC and FBI specifically indicated that they were appropriately engaged by organizations and were active participants in information sharing during the exercise.
• The exercise demonstrated the critical importance of information sharing in responding to a cyber attack and the value of having established and regularly utilized processes prior to a crisis.

All respondents to the post-simulation survey indicated their organization felt more prepared after the exercise than before.

The After-Action Report also made recommendations for enhancing the internal firm and sector-wide processes in response to a large-scale attack:

Internal Firm Response:

• Enhance executive leadership involvement in the response, recovery, and decision making protocols during times of crisis.
• Create integrated cyber incident response teams consisting of representatives from internal information security, technology, business functions, and required third parties.

Market-Wide Coordination:

• Enhance the role of market utilities to aid the early detection of, and response to, a systemic crisis. Develop and/or augment playbooks for sector wide events affecting market utilities.

Public/Private Interaction:

• Strengthen communication with regulators and government agencies, and raise awareness concerning government resources and capabilities available to assist the sector
• Promote standards and processes to allow market participants to share various cyber-attack information
• Define thresholds and criteria for when institutions should engage with government agencies/regulators, and vice versa, during an incident.

The full After-Action Report summary of key findings is available here.