The banking industry just finished a large cybersecurity exercise, Quantum Dawn VI organized and led by SIFMA (the Securities Industry and Financial Markets Association). Kudos to SIFMA for its continuing work in this area and expected reporting later on lessons learned.
At the same time, the energy sector completed its own huge GridEx VI test. Sponsored by the Electricity Information Sharing and Analysis Center of the North American Electric Reliability Corporation (the official “Electric Reliability Organization” for North America), the drill involved a simulated electricity grid crash. While cyberattacks are only one risk to the grid, they are a real and increasing threat, and so were included as a major factor in GridEx VI.
I know from the ransomware incidents I am handling for clients that cyber threats are not declining these days. I know from representing clients in connection with the recent Winter Storm Uri problems that our energy grids and pipelines were potentially vulnerable infrastructure even before cyber issues. And as one major utility’s CEO noted in connection with GridEx VI, there are obvious cross-industry risks between the electric sector and the banking sector. The timing of the two industry cybersecurity drills underscored this.
By the way, completion of the SIFMA-sponsored drill was just in time for the November 18, 2021, announcement of approval by the Federal Reserve, the Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency of a final rule requiring reporting, usually within 36 hours, to a bank’s primary regulator of any “computer security incident” that has, or is expected to, “materially disrupt or degrade” banking operations, or would (if a failure of service occurred) result in a “material loss of revenue, profit, or franchise value,” or that would (if a failure of service occurred) “pose a threat to the financial stability of the United States.” (There is a reporting requirement to customers as well for certain incidents expected to last longer than four hours that would “materially disrupt or degrade, covered services.”) This new rule is effective on April 1, 2022.