Big Banks Brace for Cyberattack Exercise

The nation's biggest banks are steeling themselves for a simulated cyberattack that organizers say will feel like the real thing.

The drill, dubbed Quantum Dawn 2, is expected to mimic a coordinated, large-scale assault on the financial industry's online sites and information systems, according to the Securities Industry and Financial Markets Association, or SIFMA, which is leading the exercise.

Many of the nation's biggest banks, including JPMorgan Chase (JPM), Wells Fargo (WFC), Bank of New York Mellon (BK) and U.S. Bancorp (USB), are expected to participate in the simulation, which is open to companies of all sizes regardless whether they belong to SIFMA. Officials from the Department of Homeland Security, Treasury, the Federal Reserve and the Securities and Exchange Commission also are expected to participate.

In all, more than 50 banks, exchanges and coordinating councils are expected to take part in the simulation, which will test participants' ability to coordinate internally and with one another, as well as the resiliency of their processes.

The simulation follows a series of cyberattacks between September and May that slowed online sites at some of the nation's biggest banks. It also follows a series of reports since February that charge China with using hackers to steal secrets from U.S. companies, including financial firms.

"We're going to test how we respond, where we share information well and where we have good situational awareness," says Karl Schimmeck, a former Marine who oversees financial services operations for SIFMA. "The whole goal is to understand the scenario, the effects and the response process."

The drill also aims to test decision-making with limited information in real time, adds Schimmeck, who previously supervised operational and financial risk in the derivatives trading unit at Goldman Sachs (GS).

Quantum Dawn 2 is slated to run for five and a half hours starting at 9:00 a.m. Eastern on June 28, although SIFMA officials said Tuesday they anticipate rescheduling the exercise to accommodate demand from participants who would like to open it to as many companies as possible, including banks of varying sizes. Companies taking part in the exercise pay a fee of $1,000, $5,000 or $10,000, depending on revenue, to cover the cost of staging the simulation.

As the name implies, Quantum Dawn 2 aims to build on a six-hour simulation the Financial Services Sector Coordinating Council staged nearly three years ago, Quantum Dawn. That drill was held on Nov. 18, 2011, the same day that "Breaking Dawn — Part 1," the first installment of the "Twilight" saga, debuted in theaters.

Roughly 30 companies participated in Quantum Dawn, which presupposed a combination of physical attacks, a terrorist bombing, and a cyberattack on Wall Street that halted trading, rearranged orders and perverted stock prices. Participants proved able to share information but struggled collectively to decide critical questions in real time, according to findings published last year by SIFMA.

Conclusions from the drill included a need to improve the industry's ability to accelerate decision-making, especially when presented with incomplete information in situations that threaten public confidence in markets. The participants also resolved to stage more sessions to practice managing cyber incidents with one another.

Unlike Quantum Dawn, which massed participants around a conference table, Quantum Dawn 2 will post participants at their own offices, where they will participate via email, telephones and other communications channels. "That should provide a little more realism and a little more friction," says Schimmeck. "It's harder to get hold of a person when you're on the phone than when you're sitting across from them at a table."

The scenario itself will be simulated down to the data and will proceed without any ties to participants' systems or software. The design reflects organizers' focus on assessing coordination and decision-making rather than on identifying gaps in participants' networks or information technology infrastructure, Schimmeck notes.

That's not to say that Quantum Dawn 2 won't simulate networks, processes and protocols at use in the real world. The exercise has been modeled on companies' networks and the connections among them. "Multiple threats will come into the game space," according to Schimmeck.

Threats are expected to unfold over two days even though the operation itself will last only a few hours. That allows the drill to simulate a maximum amount of effects in a minimum amount of time, says Schimmeck, who adds that companies will encounter a series of scenarios for assessment and action. A series of stops will occur throughout the operation that will allow organizers to introduce new information. "It's a series of jumps through time," Schimmeck says. "That way we get two days into a real-life five hours."

Organizers say they also have contingency plans should an actual emergency arise during the simulation. "We would do whatever is prudent from a risk standpoint," Schimmeck notes. "This is a top priority for our sector. We want to stay ahead of the adversaries that are out there."

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER