SIFMA’s After-Action Report on Quantum Dawn VI Cybersecurity Exercise

On March 31, 2022, the Securities Industry and Financial Markets Association (“SIFMA”) released its after-action report on Quantum Dawn VI – a global financial-markets cybersecurity exercise.

Quantum Dawn VI was conducted on November 18, 2021, with over 1,000 participants from 240 financial institutions and regulatory bodies representing 20 countries. The exercise simulated a large-scale ransomware attack by a state-actor against major global financial institutions and regulators. The scenario was chosen, in part, based upon an observed 93% increase in ransomware attacks during June 2020 – 2021. SIFMA has conducted the Quantum Dawn exercises for the past 10 years.

Key Findings Among the Participants
  • Recovery plans are common;
  • Many exercise their incident response and recovery plans;
  • Most have critical data recovery capabilities;
  • Cybersecurity insurance is widespread; and,
  • Most have bare-metal restoration capabilities for critical functions.
Key Recommendations
  • Continue investing in cyber, business-continuity and incident-response planning and recovery capabilities.
  • Create alternate communication channels for worst-case scenarios.
  • Beware that ransom may not recover data. (Indeed, FinCEN and other anti-money laundering agencies discourage ransom payments)
  • Join with global stakeholders.
  • Follow best practices:
    a. Critical infrastructure not exposed to public internet;
    b. Implement multi-factor identification everywhere;
    c. Use Identity Governance & Administration to detect backdoor accounts;
    d. Use Privileged Account Management systems for extra defense;
    e. Isolate and disconnect infected machines immediately; and,
    f. Develop proactive threat hunting capabilities.

On March 15, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022, requiring the Cybersecurity and Infrastructure Security Agency (“CISA”) to implement rules requiring incident reporting within 72 hours and ransomware payments within 24 hours, among others. That Act broadly mirrors similar rules recently proposed by the Securities and Exchange Commission (“SEC”). I covered the SEC’s proposal for public reporting companies in SEC Proposes Cybersecurity Disclosure Rule For Public Companies and for investment advisers and companies in SEC Proposes Cybersecurity Rule for Advisers, Investment Companies.

The After-Action Report comes even as Russia’s invasion of Ukraine has raised the cybersecurity threat landscape. Just days earlier, the Biden Administration issued another warning about potential Russian cybersecurity threats in response to the imposition of additional economic sanctions. That March 21 release may be found here.

The After-Action Report is here.

Thomas K. Potter, III ( is a partner in the Securities Litigation Practice Group at Burr & Forman LLP. Tom is licensed in Tennessee, Texas, and Louisiana. He has over 35 years of experience representing financial institutions in litigation, regulatory, and compliance matters.

Jump to Page
Arrow icon Top

Contact Us

We use cookies to improve your website experience, provide additional security, and remember you when you return to the website. This website does not respond to "Do Not Track" signals. By clicking "Accept," you agree to our use of cookies. To learn more about how we use cookies, please see our Privacy Policy.

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.