SIFMA Quantum Dawn VI

SIFMA Quantum Dawn VI
SIFMA Quantum Dawn VI

A Decade of Testing and Resilience

Over the past 10 years, the Securities Industry and Financial Markets Association (SIFMA) has coordinated a series of industrywide resilience exercises known as Quantum Dawn. These exercises provide a forum for financial firms, regulatory bodies, central banks, law enforcement, government agencies, trade associations and information-sharing organisations to respond to simulated cyber and/or physical attacks.

QDI 2011 November & QDII 2013 July

Quantum Dawn I & II - In November 2011 and July 2013, the financial services sector, in conjunction with service provider Norwich University Applied Research Institutes (NUARI), organised two marketwide cybersecurity exercises called Quantum Dawn I and Quantum Dawn II, respectively. Those events provided a forum for participants to exercise risk practices due to a disruption in equity trading and clearing processes in response to a systemic attack on market infrastructure.

QDIII 2015 September

Quantum Dawn III - Whereas Quantum Dawn II focused on decision making for closing the equity markets, Quantum Dawn III, held in September 2015, focused on exercising procedures to maintain market operations in the event of a systemic attack. Participants first experienced firm-specific attacks, followed by rolling attacks on equity exchanges and alternative trading systems that disrupted equity trading without forcing a close. The concluding attack centered on a failure of the overnight settlement process at a clearinghouse.

QDIV 2017 October

Quantum Dawn IV - In November 2017, SIFMA introduced the concept of integrating cyber range capabilities into industry exercises and engaged the SimSpace Corporation’s Cyber Range software for the simulation. Day 1 of Quantum Dawn IV provided a real-life “hands-on-keyboard” experience for participating institutions to test their technical cyber response capabilities, while Day 2 involved participants engaging in a sectorwide simulation to test their crisis response, communication, and coordination capabilities around a large-scale targeted cyberattack against numerous financial institutions and news organisations.

QDV 2019 November

Quantum Dawn V - SIFMA’s first global cyber exercise, held in November 2019, enabled key public and private bodies around the globe to practice coordination and exercise incident response protocols, both internally and externally, to maintain smooth functioning of the financial markets when faced with a series of sectorwide global cyberattacks. The exercise helped identify the roles and responsibilities of key participants in managing global crises with cross-border impacts and began development of its Global Directory of key crisis management contacts across the public and private sectors.

Executive Summary

On November 18, 2021, more than 1,000 participants from both the public and private sectors, representing over 240 financial institutions across 20 countries, participated in SIFMA’s global Quantum Dawn VI exercise. The industrywide exercise simulated a large-scale ransomware attack by a state actor against several major global financial institutions and regulatory bodies.

The scenario began with a state actor successfully infiltrating a major global bank’s custody servicing infrastructure, causing a suspension of the trading system used to process incoming messages from clients around the globe. The attackers made a triple-extortion[1] ransom demand for $100 million worth of Bitcoin within 24 hours.

Participants confronted the potential for a systemic event that could cause a widespread liquidity crisis and global financial instability. They grappled with crucial questions like the following:

  • What key decisions should be made during a ransomware attack?
  • Who are your initial points of contact internally and externally once an attack is confirmed?
  • What communication lines can be leveraged to help firms coordinate responses in the heat of the moment?

The focus on ransomware in this exercise underscores the increased frequency of this type of cyberattack, the growing sophistication of the attackers, and severity of risk to financial institutions, governments, global markets and technology infrastructure. According to a study published last year, ransomware attacks increased at a rate of 41% during the first six months of 2021 and 93% over the 12-month period ending June 2021[2].

Overall, the exercise provided an opportunity for financial firms to assess their existing response playbooks, identify leading strategies and processes, and examine internal and external communications plans for responding to a ransomware attack. The latest learnings on coordinating a response at a country, regional and global levels were shared, along with communication channels and strategies to liaise with relevant stakeholders, including the media.

Objectives

The intent of the exercise was to assess public and private sector-wide communications and information-sharing mechanisms, crisis management protocols, and decisionmaking, as well as legal and regulatory considerations as exercise participants responded to and recovered from significant ransomware attacks targeting the financial sector. The scenario emphasised global cross-jurisdiction information sharing among financial firms, central banks, regulatory authorities, trade associations and information-sharing organisations.

SIFMA gathered information from participants in real time and post-exercise and worked with global consulting firm Protiviti to analyse the data. The results of
the survey, summarised in the key findings below, provide significant insight into the industry’s capabilities for handling major disruptions.

The following key objectives were achieved:

  • Incorporated after actions and lessons learned from Quantum Dawn V, as well as recent disruptions including the SolarWinds and other breaches, third-party outages, and ransomware attacks.
  • Assessed the industry’s ability to respond to and recover from a ransomware attack affecting financial firms and the sector at large.
  • Exercised the interaction and information-sharing amongst Global Directory members with a focus on managing global ransomware attacks and potential impacts to the sector and financial markets.
  • Provided a forum for financial firms to challenge internal incident response playbooks and share best practices for managing a ransomware attack.
     

Key Findings

Ransomware recovery plans are common

View More

Have you conducted or participated in a ransomware recovery exercise?

View More

Many firms have critical data recovery capabilities

View More

Ransomware and general cyber insurance are widespread

View More

Bare-metal restore capabilities

View More


Recommendations

An active defense — including assessment exercises, threat hunting and tabletop exercises —can improve any organisation’s ability to quickly detect and react to evolving cyber threats. The following recommendations are based on the lessons learned from Quantum Dawn VI.

Make critical investments in capabilities

View More

Create an alternate communication channel for worst-case scenarios

View More

Beware: Ransom payments may not lead to data recovery

View More

Join global directory of critical stakeholders

View More

Follow best practices

View More


Resources


Conclusion 

A clear takeaway from the exercise is the importance of a robust partnership between the industry and government grounded in information sharing. No single actor — not the federal government nor any individual firm — has the resources to protect markets from cyber threats on their own. Firms should continually test their crisis management, incident response and data recovery plans to ensure rapid response and recovery from ransomware or other types of cyberattacks.

Visit sifma.org to learn about SIFMA’s Quantum Dawn exercises, its annual industry business continuity tests and ongoing efforts to improve the industry’s cyber and operational resilience.
 


1. ”The New Ransomware Threat: Triple Extortion, Check Point.
2. “The Vexing Tech Challenge of Fighting Ransomware: A Battle of Milliseconds,” Bloomberg, June 17, 2021.

 

Download

 

Click here to access all series