The Securities Industry and Financial Markets Association (SIFMA) released a summary of key recommendations from its biennial Quantum Dawn cybersecurity exercise conducted in November 2021. This event enabled financial firms, central banks, regulatory authorities, trade associations, law enforcement and information sharing organizations around the world to rehearse incident response protocols, both internally and across the sector, against a broad range of significant ransomware attacks targeting the financial sector.
The exercise engaged SIFMA’s Global Directory Members, which were brought together during QD V in November 2019, and also focused on identifying potential gaps in responses. Participants included over 1,000 representatives from 240 public and private sector institutions, including financial firms, central banks, regulators, and law enforcement entities, across more than 20 countries around the world.
“A clear takeaway from the exercise is the importance of a robust partnership between the industry and government grounded in information sharing,” said Kenneth Bentsen, SIFMA president and CEO, in a statement. “No single actor — not the federal government, nor any individual firm — has the resources to protect markets from cyber threats on their own. Firms should also continually exercise their crisis management, incident response and data recovery plans to ensure rapid response and recovery from ransomware or other types of cyber-attacks.”
Recommendations include:
- Make critical investments in capabilities: institutions should continue to invest in robust ransomware recovery and cyber, business continuity and information technology incident response plans and strengthen these plans based on frequent exercises and tests.
- Create alternate communication channels for worst-case scenarios: in the event a regulatory authority is impacted by a ransomware event and goes offline, firms should have processes in place to use alternate communications channels.
- Be aware that ransom payments may not lead to data recovery: SIFMA does not recommend paying a ransom. Executives need to carefully consider the realities of taking such actions, including the possibility that they still may not recover stolen data.
- Join global directory of critical stakeholders: financial firms are strongly encouraged to join SIFMA’s Global Directory of critical stakeholders. This directory was created to identify critical public and private sector organizations and key contacts that play a role in crisis management and global information sharing.
- Follow best practices: validate that critical infrastructure assets are not exposed to the public internet; institute controls such as self-service password management requiring a second factor to avoid being socially engineered; require multi-factor authentication (MFA) everywhere; deploy modern-day Identity Governance and Administration (IGA) systems to detect backdoor accounts; use a privileged account management (PAM) system to check in-and-out access to accounts or deploy even more advanced defenses for critical admin-level accounts; isolate and disconnect infected machines immediately; develop proactive threat hunting capabilities.