Exercising Industry Coordination in Response to a Global Cyber Disruption
History Of Quantum Dawn Exercises
Since November 2011, SIFMA has coordinated a series of industry-wide resiliency exercises called Quantum Dawn. These exercises provide a forum for financial firms, regulatory bodies, government agencies and trade associations to respond to simulated cyber and/or physical attacks. The key driver for the exercises is to test the industry’s ability to recover in a timely manner from events that could impact market integrity or cause widespread harm to the financial ecosystem.
Organized by the U.S. Department of Homeland Security and hosted by the Depository Trust & Clearing Corporation, the first Quantum Dawn exercise was held in November 2011. SIFMA then organized subsequent exercises, starting with Quantum Dawn II in July 2013. Those seminal events provided a forum for participants to test incident response playbooks and protocols across equities trading, clearing processes and market closure procedures in response to an ecosystem-wide attack on market infrastructure. Quantum Dawn II also focused on testing procedures that would inform the decision to close equity markets.
Quantum Dawn III, conducted in September 2015, simulated a large-scale cyberattack lasting three business days and focused on exercising procedures to maintain market operations through firm-specific and rolling attacks on equity exchanges and alternative trading systems. These attacks disrupted trading but did not result in market closures. The concluding attack centered on a failure of the overnight settlement process at a major clearinghouse.
Held in November 2017, Quantum Dawn IV (QDIV) provided firms with a real-life “hands on keyboard” exercise to test their technical cyber response capabilities using cyber range technologies. QDIV also engaged participants in a sector-wide exercise to test their crisis response, communication and coordination capabilities. The exercise simulated a “bad day” on Wall Street during which a large-scale cyberattack targeted financial institution payment infrastructures, with rolling impacts on the sector and markets. The events caused widespread consumer panic and market contagion after a major news outlet was hacked and “fake news” stories were presented.
Quantum Dawn V (QDV), conducted in November 2019, tested the financial services industry's response to extreme cross-border cyberattacks, with a focus on evaluating the information-sharing and communication protocols of individual firms and the sector.
QDV: Scenario Overview
A Global Event For The Financial Sector
QDV brought together key participants from the global financial community, attracting public and private sector institutions from many jurisdictions and professionals representing a broad range of roles and responsibilities.
More than 800 representatives from over 150 financial firms as well as more than 50 regulatory authorities, central banks, government agencies and trade associations across 19 countries participated in the event. The financial institutions included securities firms, banks, investment banks, asset managers and financial market infrastructure providers of all sizes.
Regulatory organizations, central banks, government agencies and trade associations highlighted their response activities during the exercise. Several organizations discussed their roles in crisis response and what they would do in the presented scenario. These included SIFMA, the Association for Financial Markets in Europe (AFME), Asia Securities Industry and Financial Markets Association (ASIFMA), Securities and Exchange Commission (SEC), U.S. Treasury, Financial Services Information Sharing and Analysis Center (FS-ISAC), Bank of England, Financial Conduct Authority, HM Treasury, UK Finance Sector Cyber Collaboration Centre (FSCCC), the Bank of Canada, and Canadian provincial regulators.
QDV gave firms the opportunity to share their incident response processes, communications protocols and information-sharing practices with industry participants through real-time polling responses.
The exercise helped identify areas for both public and private sector institutions to improve global crisis coordination, information sharing and communication protocols during a sector-wide cyber incident.
The industry should consider implementing the following recommendations to improve information-sharing and incident-response capabilities.
Create a Directory of Critical Stakeholders and Key Contacts
Conduct Periodic Exercises
The industry should schedule regular touchpoints and exercises. These exercises could be catalysts for developing global information-sharing capabilities and incident response and recovery protocols for critical public and private sector organizations and contacts. Additionally, periodic exercises will emphasize the need for all organizations to keep incident response playbooks and contact information up-to-date to ensure a rapid and coordinated global response to major events impacting the financial ecosystem.
Expand Information Sharing and Communications Capabilities
Our findings show many formal and informal communication channels exist today among financial firms, trade associations, regulatory bodies, government agencies and central banks mostly centered within each country or jurisdiction. Linking together existing information-sharing networks with organizations that currently manage crises in their respective jurisdictions, prior to an event, will strengthen cross-border information-sharing and communication capabilities among the public and private sector.
Conclusion And Acknowledgments
The changing threat landscape requires financial institutions to be diligent about how they assess and manage their exposure to major disruptive events, such as large-scale cross-border cyberattacks.
The QDV exercise highlighted the industry’s collective incident response and information sharing capabilities. As participating firms take the lessons learned and recommendations from QDV and apply them within their respective institutions, SIFMA and its partner organizations will continue to collaborate with the industry to enhance information-sharing and incident response practices on a global scale.
SIFMA would like to acknowledge the hundreds of organizations and individuals who helped design and execute the Quantum Dawn V exercise. Global consulting firm Protiviti helped analyze participant feedback and prepare this after-action report.
Finally, SIFMA would like to thank all the participants who engaged in the exercise and provided valuable insights, ensuring its success.