SIFMA (Securities Industry and Financial Markets Association) completed a global industry-wide Quantum Dawn VI cybersecurity exercise. It was carried out with over 900 participants from 240 public and private sector institutions, including financial firms, central banks, regulators, and law enforcement entities, across more than 20 countries around the world.
Commenting on the results, Kenneth Bentsen, Jr, SIFMA president and CEO, said in a statement:
There is likely no greater threat to financial stability than a large-scale cyber incident. SIFMA’s Quantum Dawn VI simulated a ransomware event, which underscores this is something the industry must prepare for just as we do for other possible crisis events. SIFMA, in its crisis coordination role, led the exercise, which included participants from SIFMA, AFME (Association for Financial Markets in Europe) and ASIFMA (Asia Securities Industry and Financial Markets Association) member firms, as well as public sector crisis teams across the globe.
A clear takeaway from the exercise is the importance of a robust partnership between the industry and government grounded in information sharing. No single actor – not the government, nor any individual firm – has the resources to protect markets from cyber threats on their own, nor do cyber incidents restrict themselves to one geographic region. That’s why the communication aspect was essential to the exercise’s success.
The exercise completed against a backdrop of tightening regulations. Federal bank agencies announced the approval of a final rule to improve the sharing of information about cyber incidents that may affect the US banking system. The final rule requires a banking organization to notify its primary federal regulator of any significant computer-security incident as soon as possible and no later than 36 hours after the banking organization determines that a cyber incident has occurred.
Notification is required for incidents that have materially affected—or are reasonably likely to materially affect—the viability of a banking organization’s operations, its ability to deliver banking products and services, or the stability of the financial sector.
In addition, the final rule requires a bank service provider to notify affected banking organization customers as soon as possible when the provider determines that it has experienced a computer-security incident that has materially affected or is reasonably likely to materially affect banking organization customers for four or more hours. Compliance date is from May 2022.