Markets In Action

Industry works to protect investors, markets from cyber attack

Last year’s holiday shopping season showed Americans are shopping online more than ever. Unfortunately, that heightened commerce presents an ideal target for cyber thieves to strike.
A study prepared last year by PwC reveals that “attacks on retail and consumer companies skyrocketed 154% in 2015 from the previous year, and compromise of customer records soared 27%.” That’s enough to make even the smartest shopper a little anxious that their personal and financial data is at risk.
But it’s not just retail businesses and consumer accounts that are at risk. In recent years, cyber attack targets have included government agencies like the Internal Revenue Service and the Office of Personnel Management, health care providers, and universities, to name a few.
Needless to say, business leaders at all levels have grown more aware of the importance of cybersecurity planning.
The financial industry is leading the way in cybersecurity planning through the series of Quantum Dawn exercises, a long-running initiative launched in 2011 to test the industry’s ability to detect, respond to and mitigate potential cyber attacks on banking and market data systems.
Coordinated by the Securities Industry and Financial Markets Association (SIFMA), the third exercise in the series, Quantum Dawn 3 (QD3), took place in September 2015.

Simulating ‘a low probability, high impact event’

With more than 650 participants from over 80 financial institutions (including banks, brokerage houses and market exchanges), law enforcement agencies and industry regulators, QD3 simulated a large-scale, multi-day cyber attack on the financial system that disrupted the trading and processing of securities at the sector level, as well as separate attacks on individual participating firms. (A fuller description of the simulation’s workings-which included domain name system attacks, distributed denials of service, insider breaches, and other system compromises aimed at disrupting market operations-was outlined in an earlier Project Invested article.)
The goal was to simulate a systemic attack that would test market participants’ ability to work closely together to respond to and overcome a “low probability, high impact” incident, as SIFMA President and CEO Kenneth E. Bentsen, Jr., explained.
“The industry is taking great steps to be prepared here; this is a top priority for the industry at the highest levels in the corporate suite,” Bentsen explained in a November 23 interview with CNBC. “And so I think in terms of making an effort and putting the processes in place, the industry is doing a very good job.
“At the same time, it’s an iterative process…and the risk only gets greater,” Bentsen continued. “It’s not just a criminal exercise that we’re concerned about, but it’s also a disruptive exercise that we’re concerned about. So these are all the sorts of things we try to test for on a regular basis, and train for on a regular basis.”
The exercise also offered participating firms an opportunity to exercise their own internal crisis response plans.  As cyber response planning moves beyond just information security to plan the response of the enterprise as a whole, the exercise brought together representatives from firms’ crisis response, information security, operations, and legal teams to practice how they would respond to a cyber incident.

Lessons learned

In an after-action report, Deloitte Advisory Cyber Risk Services summarized the QD3 exercises findings, along with recommendations for the future.
The good news: the QD3 simulation revealed that the securities industry increasing awareness and ongoing planning for cybersecurity threats to the industry has yielded positive results. Firms have developed constructive working relationships and communication among financial institutions, law enforcement and regulators to share information on threats, and to establish processes for sharing information related to attacks.
In addition, the Quantum Dawn simulation series itself is laying the groundwork for improved crisis response, as the participating organizations develop the “muscle memory” needed to respond in the event of a cyber attack.
The after-action report also detailed ways in which market participants could continue to build upon their cybersecurity preparedness plans. These include strengthening internal firm responses through the involvement of executive leaders and establishing cyber incident response teams, as well as continuing to work to improve coordination, communication and information sharing.
“The importance of preparing for a systemic cyber attack cannot be understated,” said Ed Powers, U.S. Leader for Deloitte Advisory Cyber Risk Services, in a news release. “When a company is faced with a cyber incident, the impact can be very serious; but it’s important, especially in critical infrastructure sectors like financial services, to recognize that attacks may not be isolated to one organization. That’s why testing cybersecurity, vigilance and resilience across the sector is essential.”

The need for vigilance

While the QD3 simulation focused on the financial industry and markets, other industries and government agencies would do well to study the findings for insights into how they might improve their own cybersecurity efforts. And owners and managers of smaller firms should be sure to check out SIFMA’s cybersecurity guide, “How Small Firms Can Better Protect Their Business,” for guidance on how to strengthen your own firm’s defenses.
Cybersecurity is a moving target, and unfortunately data breaches and other cyber attacks are likely to be a fact of life in our increasingly connected world. The reality is that cyber attackers aren’t standing still-they revise and refine their methods in response to a changing security environment.
“We are encouraged by the industry’s progress in cybersecurity preparedness and response since the 2013 Quantum Dawn 2 exercise, yet we know that this work is never done,” Bentsen said in summarizing the after-action recommendations. “The after-action report findings highlight the importance of enhanced information sharing and coordination among the public and private sectors in mitigating threats.”
That means that industry, government and consumers must remain vigilant about maintaining a strong defense to ensure we can detect cyberattacks before they do serious damage, and respond quickly to mitigate negative impacts. Exercises like Quantum Dawn are a key part of that strategy.