SIFMA has released the after-action report from its biennial Quantum Dawn VII cybersecurity exercise conducted in November 2023.
The exercise engaged over 1,000 participants from more than 170 public and private sector institutions around the globe, including financial firms, central banks, regulators, and law enforcement entities.
The exercise simulated a scenario with a data destruction event at a critical third-party widely used by the global financial sector to trade in the Treasury and repo markets and hosted in the cloud. As the scenario progressed, it was discovered that the cause of the outage was due to an issue with a third-party.
The goal of the exercise was to strengthen public and private sector-wide communications and information-sharing mechanisms, crisis management protocols, and decision-making, as well as legal and regulatory considerations, as exercise participants responded to and recovered from the scenario presented.
During the simulation, participants were polled on a series of questions, which provided significant insight into the industry’s capabilities for addressing major third-party disruptions.
These findings include:
– A majority of participants (75%) reported having experienced the loss of a critical third party, demonstrating that these outages are not unusual. Ninety-eight percent of firms have developed and maintain response and recovery plans for their critical third parties, and 80% of firms state their plans can account for outages lasting 24 hours or more.
– Information sharing is widespread and involves senior leadership and the board level. Participants demonstrated well-developed and diverse communication plans both internally and externally with stakeholders and industry peers.
“A clear takeaway from the exercise is the importance of a robust partnership between the industry and government grounded in information sharing,” said SIFMA president and CEO Kenneth E. Bentsen, Jr.
“No single actor – not the government, nor any individual firm – has the resources to protect markets from cyber threats on their own, nor do cyber incidents restrict themselves to one geographic region. SIFMA and its member firms are deeply committed to regularly testing and enhancing the financial services sector’s cybersecurity resiliency and working with government partners to protect the broader economy. The lessons learned from Quantum Dawn VII will help shape these initiatives going forward.”
Along with SIFMA, global consulting firm Protiviti helped organize the simulation. Following the exercise, SIFMA and Protiviti reviewed the data member firms provided during and after the exercise and developed suggestions for firms to consider when evaluating and uplifting their incident and crisis plans and business resilience strategies. These include:
Firms should continue to consider the impact of longer-term outages of their critical third parties.
While firms plan for third-party outages, an extended failure due to ransomware attacks may pose unforeseen challenges to interim workarounds and the ability of incident response teams to recover back-up data sources. Based on the firm’s risk tolerance for re-connecting to a provider that may have experienced a cyber-attack, it could be much longer than anticipated before a third-party can meet the established reconnection criteria. Recent events show recovery from a ransomware event may be measured in days to weeks.
Firms should continue preparing to manage their business through alternative means for a time frame that is aligned to more realistic recovery time objectives, considering recent ransomware events. Firms should evaluate whether their regular risk assessments appropriately reflect the increased volume and severity of critical third-party disruptions.
Firms should continue to enhance their enterprise risk assessment process to deepen understanding of how important third parties are to the delivery of their critical operations. Third-party risk management has increasingly become a focus of resilience guidelines and regulations, such as the Federal Financial Institutions Examination Council (FFIEC)’s Operational Resiliency Guidelines in the U.S. and the Digital Operational Resilience Act (DORA) in Europe, to ensure firms understand, manage, oversee, monitor and establish risk tolerances with critical third parties.
Firms should continue to improve their response and recovery processes around the long-term loss of a critical third party.
SIFMA and Protiviti offer several questions which will need to be addressed and understood in all their ramifications. Firms should establish risk-based criteria for disconnection from and reconnection to third parties that are experiencing cyber-attacks to ensure the safety and security of their own firm. In parallel, firms need to evaluate and exercise their plans to ensure there are viable recovery options that limit damage, amidst a disruption to their services.
Firms are encouraged to seek industry coordination and collaboration during major outages.
Once a critical third party’s services are disrupted, coordination and communication plans are set in motion. Firms should proactively create and validate/evaluate these protocols prior to an incident to enable smoother coordination when an event does occur. Ideally, communication and coordination will not just be underway internally but should also be managed strategically across the industry, with customers, regulators, and the media, if necessary. It is recommended that firms be prepared with escalation protocols, necessary decision-making actions and crisis management templates that can be readily executed. Additionally, firms should incorporate measures for reassuring their market partners of their recovery process as a part of their industry coordination to help ensure the safety and soundness of the sector post-incident.