The Securities Industry and Financial Markets Association (SIFMA) makes several recommendations for improving the financial industry’s preparation for a possible large-scale cyber attack on financial markets, in a report published Monday.
Earlier this year, the U.S. financial industry held a major cybersecurity exercise, known as Quantum Dawn 2, in an effort to test the industry’s readiness for a possible systemic attack. On Monday, it published a summary report detailing the results of the exercise, including recommendations about areas where the industry can improve its crisis management procedures.
The recommendations include calls for the industry to: review and update its sector-wide response playbook to promote greater integration between industry groups, market participants, and government agencies; augment existing guidelines and decision frameworks to determine if cyber incidents are systemic in nature and could impact the broader financial system; and, institutionalize the procedures for determining if markets will open or close in response to a systemic cyber attack.
Additionally, it says that the industry should set protocols that will promote greater communication and information sharing among market participants when responding to a cyber attack; and, that it should formalize a strategy for communicating with the public during a cyber attack to promote trust and confidence in the markets.
The exercise simulated multiple attacks, with different motives, which directly affected market performance and eventually led to a market closure at the end of the exercise. The report says that the exercise successfully tested many of the industry’s processes and protocols, raised awareness among industry participants about working together to address systemic risk issues, and verified the importance of information sharing both between firms and the government as vital to identifying attacks and mitigating the impacts.
“Cybersecurity is a top priority for the financial industry,” said SIFMA CEO, Judd Gregg. “Quantum Dawn 2 demonstrated the industry’s resiliency when faced with serious cyber attacks that aimed to steal money, crash systems and disrupt equity market trading. Most importantly, the exercise helped participants identify areas where we can improve. Complacency is not an option in the fight against cyber crime.”
Gregg added that the exercise, “proved that information sharing between the private sector and the government is one of the most effective ways to combat cyber crime. We hope this exercise will encourage Congress to pass legislation that promotes this sharing and other activities that will help our country more effectively mitigate cyber threats on the financial system.”
“Quantum Dawn 2 helped participants understand the need not just to be secure, but also to be vigilant and resilient in the face of cyber threats,” added Ed Powers, national managing partner in the security & privacy practice at Deloitte & Touche LLP, which co-authored the report and served as an objective observer of the exercise.
“In today’s environment, it’s unrealistic to expect that defenses can prevent all cyber incidents. The financial industry should continue developing capabilities for detecting incidents when they occur, minimizing the impact on business and critical infrastructure, and tying these capabilities together in a comprehensive framework. Quantum Dawn 2 is an important step in that direction,” he added.