Key findings of the Quantum Dawn 3 cybersecurity exercise published
- Published: Thursday, 26 November 2015 10:00
SIFMA has published a summary of the key findings derived from its Quantum Dawn 3 cybersecurity exercise held on September 16, 2015. This After-Action Report was developed by Deloitte Advisory Cyber Risk Services. SIFMA engaged Deloitte Advisory to serve as an objective observer of the exercise and assist in identifying key takeaways and recommendations for enhancing the financial services sector's protocols for responding to a large-scale cyberattack.
Over 650 participants from over 80 US financial institutions and government agencies participated in this exercise, including key industry and government partners such as the US Department of the Treasury, Department of Homeland Security, Federal Bureau of Investigation, federal regulators and the Financial Services Information Sharing and Analysis Center (FS-ISAC).
During Quantum Dawn 3, participants first experienced organization-specific attacks, such as a distributed denial of service attack, a domain name system poisoning or breach of personally identifiable information. These attacks were followed by rolling attacks upon equity exchanges and alternative trading systems that disrupted equity trading without forcing a close. The concluding attack scenario was a failure of the overnight settlement process at a clearinghouse.
The After-Action Report highlights include:
- Institutions were able to identify and leverage internal and external capabilities in responding to the market-wide cyber-attacks.
- More than 80 organizations built ‘muscle memory’ within their crisis response by exercising DDoS mitigation, DNS attack coordination and data breach assessment and communication.
- Institutions, along with the FS-ISAC, the FBI, and regulators, enhanced their working relationships and exercised the public/private partnership that will be required to respond to a large-scale attack.
- The FS-ISAC and FBI specifically indicated that they were appropriately engaged by organizations and were active participants in information sharing during the exercise.
- The exercise demonstrated the critical importance of information sharing in responding to a cyber attack and the value of having established and regularly utilized processes prior to a crisis.
All respondents to the post-simulation survey indicated their organization felt more prepared after the exercise than before.
The After-Action Report also made recommendations for enhancing the internal firm and sector-wide processes in response to a large-scale attack:
Internal firm response:
- Enhance executive leadership involvement in the response, recovery, and decision making protocols during times of crisis.
- Create integrated cyber incident response teams consisting of representatives from internal information security, technology, business functions, and required third parties.
- Enhance the role of market utilities to aid the early detection of, and response to, a systemic crisis. Develop and/or augment playbooks for sector wide events affecting market utilities.
- Strengthen communication with regulators and government agencies, and raise awareness concerning government resources and capabilities available to assist the sector.
- Promote standards and processes to allow market participants to share various cyber-attack information.
- Define thresholds and criteria for when institutions should engage with government agencies/regulators, and vice versa, during an incident.
The full After-Action Report summary of key findings is available here (PDF).