A staged assault conducted Thursday to test banks' ability to respond to cyber threats was a useful exercise, but banks still have a long way to go before they're fully prepared for cyberwar, observers say.
The Securities Industry and Financial Markets Association conducted the test, called Quantum Dawn 2, to prove the crisis response and communications plans of some of Wall Street's biggest banks. More than 500 people from 50 different financial services companies and government agencies participated.
This drill is the sequel to a six-hour simulation the association held nearly three years ago.
At the time, 30 companies took part in Quantum Dawn. (The name is a play on the "Twilight Saga" movie "Breaking Dawn," which was released the day of the event, Nov. 18, 2011.)
Unlike with Quantum Dawn, which put participants around a conference room table, Quantum Dawn 2 participants worked in their own offices where they took part via email, telephone and other communications channels.
A trade group official declared the event a success.
"Cybersecurity is a top priority for the financial industry," Karl Schimmeck, SIFMA's vice president of financial services operations, said in an emailed statement. "This exercise gave participants the opportunity to run through their crisis response procedures, practice information sharing and refine their protocols relating to a systemic cyber attack."
He added that the group plans to analyze the test results to identify areas that need improvement and come up with best practices for financial services companies.
These types of exercises are important to perform. They have the ability to expose gaps in the process, procedures and risk management plans of banks that can't be easily account for internally, says Ben Knieff, a fraud, anti-money laundering and data privacy consultant in New York.
"Just as institutions test software and technology, it is critical to test policies and procedures under a 'crisis mode' to ensure what they think will work actually does work," he says. "When it comes to security, the law of unintended consequences almost always comes into play."
But, while the simulation seems to have been a success, no one should be resting easy.
"This exercise was great for sharing contact information between banks for future collaboration on attacks," says David Jevans, the chairman of Marble Security, which offers security software and services for mobile devices. "But much more needs to be done."
He says an increase in phishing and malware attacks against bank employees meant to gain access to internal systems necessitates constant testing.
Jeff McGurk, a manager of cyber security at AccessData Professional Services, points out that the scope of the test was limited.
It put on trial "the human element," he says. "Things like collaboration, critical thinking, reaction times. But they didn't test the infrastructure or anything digital."
Passing muster on SIFMA's latest test shouldn't put any one bank at ease.
"By no means is it the definitive answer," McGurk says. "After they complete this exercise and say yes, they passed, they can't just sit back and say it's good enough. It's just one small piece of a much bigger picture."