Markets In Action

The financial industry exercise simulated a massive cyberattacks to test its system response. Here’s what was learned.

There’s no question that a cyberattack can do serious damage. A 2017 study conducted by the Ponemon Institute, and sponsored by IBM, surveyed more than 400 organizations in 11 countries about the costs they incurred due to data breaches. The researchers estimated the average total cost of a cyber incident at $3.62 million.

The financial losses are bad enough on their own, but that total fails to capture the full scope of the costs, which includes lost customer trust and damaged public confidence. In today’s connected world, it’s critical that businesses, government agencies and other entities strengthen their ability to detect and defend against cyberattacks—and to respond appropriately if an attack succeeds, before the costs become catastrophic.

This challenge is particularly acute for the financial industry, since security is vital to ensure investor confidence. A large-scale attack is a relatively low probability event, but if it succeeds it can have a big impact on a firm’s reputation and bottom line. That’s why financial institutions and capital markets have led the way in developing preemptive exercises to test the sector’s ability to withstand, respond to and recover from cyberattacks.

Financial firms and markets can’t afford to think about cybersecurity as simply a matter of having the best tools and protocols for monitoring and prevention. It’s also about being prepared to respond to an attack, which in today’s world should be seen as a virtual inevitability.

Simulating a cyberattack

In November 2017, the Securities Industry and Financial Markets Association (SIFMA), in coordination with Norwich University Applied Research Institutes (NUARI) and SimSpace Corporation, launched a new cyberattack simulation to test the industry’s security infrastructure and response capability.

Dubbed Quantum Dawn IV (QDIV), the simulation took place over two days, with more than 50 private financial firms and public sector organizations and more than 1,000 industry experts taking part.

“On a daily basis, our industry and government partners are the target of cyberattacks that we must vigilantly counter in order to protect our nation’s financial system,” Kenneth E. Bentsen, Jr., SIFMA president and CEO, said in a news release. “The Quantum Dawn series of exercises is one of the many ways in which SIFMA leads the industry in testing and evaluating institutional preparedness and protocols as well as cross-communication and coordination with government regulators and agencies.  This remains a top priority for us and our members.”

Other participants included key financial institutions and associations; the Financial Services Information Sharing and Analysis Center (FS-ISAC); Financial Services Sector Coordinating Council (FSSCC); and federal regulatory and law enforcement agencies like the Department of Treasury, Securities & Exchange Commission (SEC) and Federal Bureau of Investigation (FBI).

The 2017 simulation was the fourth in a regular series first launched in 2011. Here’s how it worked:

  • Day 1 of QDIV was structured as a sector-wide “cyber range” simulation with participants assigned to two teams — a “red team” representing hackers attempting to launch a series of increasingly sophisticated cyberattacks on the industry’s defenses, and a “blue team” of industry players tasked with thwarting those attempts. This structure allowed participants to test their technical preparedness, hone their incident response capability, and identify any shortfalls or gaps.
  • Day 2 of the 2017 QDIV exercise was a simulated “bad day,” in which firms were targeted with a simulated large-scale attack that disrupted payment systems, roiling the financial sector, markets and investors. The attacks took multiple forms, including payment fraud, distributed denial of service attacks, data theft and malware attacks.
  • The “bad day” simulation also included a “breaking news” component to test firms’ ability to respond to and manage media reports in an environment of incomplete information and rising public concern. Throughout the exercise, participants kept up contact with other industry players, regulators and law enforcement through e-mail and telephone, just as they would in a real attack scenario.
  • All parts of the simulated attack are “closed loop,” which means no real-world systems are actually affected during the exercise.

Lessons learned

An after-action report on the Quantum Dawn IV exercise, prepared by Deloitte Risk and Financial Advisory, was published in June 2018. The lessons learned included the need for more clearly defined roles among players within the financial sector, improvements to communication and response efforts, and strengthened coordination with regulators and law enforcement.

Information-sharing and clear communication are vital to decision-making in a high-stakes situation like responding to a cyber attack, Ed Powers, Deloitte Risk and Financial Advisory principal and U.S. leader for Deloitte’s Cyber Risk Services, explained in a news release.

“The Quantum Dawn IV cybersecurity incident simulation exercises challenged institutions’ cyber incident response capabilities and the coordination of resources across jurisdictions, presenting a major opportunity for public and private sector institutions to collaborate to protect our financial services sector,” said Ed Powers. “Shifting the focus away from just securing and monitoring environments, to actually knowing how to respond to a cyberattack, is how financial institutions can keep ahead of the curve.”

Finally, it’s worth emphasizing that while cyber breaches have increased in frequency and scope, the reality is that most such attacks ultimately fail. That’s reassuring, but keep in mind that cyber criminals use failed attacks as part of learning process, changing their tactics to improve their chance of success in the next round of attacks.

That iterative process—think of it as a “virtual arms race”—means that industry and government can’t rest when it comes to cyber security, and should always be working to strengthen the detection, prevention and response to attacks. That’s why industry exercises like Quantum Dawn IV are so important as part of the ongoing effort to strengthen defense and response capability.