Inside Quantum Dawn VIII: Testing Resilience in a Polycrisis

In this episode of the SIFMA podcast, Steve Byron is joined by Todd Klessman and Andrew Retrum of Protiviti to discuss the Quantum Dawn VIII After Action Report.

Their conversation explores key findings from the November 2025 exercise, including lessons from a polycrisis scenario, the role of public-private collaboration, and areas of focus for strengthening the financial sector's operational resilience and cybersecurity.

Transcript

(Edited for clarity)

Stephen Byron: Hello, and thank you for joining us for this episode of the SIFMA podcast. I'm Steve Byron, Managing Director and Head of Technology, Operations, and BCP at SIFMA, and your host today.

Today, we'll be discussing the Quantum Dawn VIII After Action Report. I'm pleased to be joined by my SIFMA colleague, Todd Klessman, Managing Director of Financial Services, Cyber, and Technology, as well as Andy Retrum, Managing Director in the Technology Consulting Practice and Global Technology Risk and Resiliency Practice Lead at Protiviti.

As always, we welcome your comments and questions. Listeners can reach us at [email protected]. And with that, let's dive into today's discussion.

Todd, let's start with you. Can you describe SIFMA's overall operational resilience and cybersecurity initiatives, and how Quantum Dawn fits into that?

Todd Kleman: Sure, Steve. Thanks-I'd be happy to.

SIFMA works closely with partners throughout the financial sector to strengthen operational resilience, protect market infrastructure, and ensure continuity of service for clients and investors during times of disruption.

In the areas of business continuity and crisis management, SIFMA leads industry-wide efforts to ensure firms can operate through significant emergencies using backup systems, recovery facilities, and redundant communications networks.

Examples of these efforts include coordinating an annual industry-wide business continuity test that allows firms to evaluate their ability to operate under stress, and maintaining an emergency crisis management command center. This enables SIFMA to convene market participants and coordinate with the U.S. Department of the Treasury, the Department of Homeland Security, and others during an industry-wide incident.

SIFMA is also highly active in cybersecurity, which remains one of the financial industry's top priorities. Protecting client information and ensuring the secure, reliable execution of transactions is central to maintaining market integrity and public trust.

To support these goals, SIFMA works with its members to advance a risk-based, harmonized approach to cybersecurity policy that promotes efficiency, coordination, and information sharing.

The Quantum Dawn exercises are a core part of these operational resilience and cybersecurity efforts. Since the first exercise in November 2011, this biennial exercise has brought together financial institutions, market utilities, and government partners to simulate systemic cyber incidents and improve coordination, communication, and response capabilities.

These exercises are among the most comprehensive cybersecurity readiness programs in any sector.

Byron: That's a great summary-thanks, Todd. Let's talk about the November 2025 Quantum Dawn exercise, the eighth in the series. Can you walk us through the scenario?

Klessman: Sure. For this iteration, we tested the sector's readiness for a "polycrisis"-multiple cyber and physical events occurring simultaneously.

The scenario combined severe weather, a telecommunications infrastructure failure, a financial market infrastructure outage, and adversarial cyber activity. It began with a Category 5 hurricane making landfall near New Jersey and Long Island, causing widespread power outages, flooding major data centers, and impacting staff's ability to reach work locations.

On top of that, we layered the cutting of a major transatlantic communications cable, disrupting telecommunications between the U.S. and Europe. This meant critical data traffic into and out of financial centers in New York and beyond would be impacted. That was followed by a ransomware attack on a global central counterparty clearinghouse, causing it to disconnect from clearing and settlement infrastructure to limit contagion risk.

Finally, the scenario included a state actor claiming responsibility for both the cable cut and the ransomware attack, introducing national security concerns for firms to consider as they responded to the scenario.

Byron: Thanks, Todd. Andy, let's bring you in. Protiviti helped develop and oversee the simulation-what were the key objectives of Quantum Dawn VIII, and how did the polycrisis element introduce and how did it support those objectives?

Andy Retrum: Thanks, Steve. I appreciate the opportunity to be here. There have been two consistent objectives for Quantum Dawn. First, to allow participants to exercise their incident and crisis management procedures, playbooks, and decision-making frameworks in a realistic scenario. Second, the Quantum Dawn platform allows not just organizations to assess and exercise their own playbooks and activities internally, but really reinforce cross-sector collaboration, which is critical during major disruptions.

The polycrisis element introduced a differentiating factor for this one and forced companies to look at an adverse event for what it is. It's not just a single clean event, it's a compounding of a variety of different things. It's not just a hurricane, it's the outage that goes along with it, or the disconnection from a third party that goes along with it, or the fact that your security folks are stretched thin. That polycrisis aspect provided a different perspective from some of the prior exercises.

We also worked with a variety of trusted advisors throughout SIFMA members that were part of the design team. One added benefit of a polycrisis scenario like this one is that it allowed the participants to choose their own adventure. If, for example, their organization was more focused on managing third-party disruptions, this polycrisis allowed them to laser in on that aspect and maybe de-emphasize some of the other adverse events that were covered. So it allowed for a lot of flexibility in the participants, and we think that really allowed a variety of different companies of a variety of different shapes and sizes to get the most out of the exercise.

Byron: Yeah, that was great. And certainly, the feedback that we received immediately post the Quantum Dawn exercise was that that kind of choose your own adventure, as you put it, scenarios was very well-received from members, enabling them to pick and choose where they wanted to go deep there. So thanks for that. That was a great summary.

And for the first time in the history of the events, we also hosted a series of panel discussions that comprised a cross-section of industry and sector experts. Todd, what were your views on those observations, and how did they inform the findings?

Klessman: Sure. So the feedback I heard is very similar to what, Andy, you were mentioning about the exercise overall. We heard the panels were a welcome addition, which really allowed subject matter experts to provide practical observations based both on their real-world experience and on what they saw unfold during the exercise.

So, for example, the panel on hurricane response was able to highlight how the industry has evolved since Superstorm Sandy. They noted a move towards greater geographic dispersion of both personnel and physical operations like data centers, which has helped ensure firms can execute critical processes from multiple locations.

The panel on Information Sharing and Analysis Centers, or ISACs, talked about how cross-sector collaboration has really emerged as a foundational requirement for operational resilience, particularly among the communications, energy, and financial services sectors.

That panel highlighted how the joint planning, shared exercises, and coordinated response mechanisms have really supported the identification of hidden dependencies and strengthened collective preparedness. That panel also noted how ISACs played a critical role in the ecosystem by enabling timely and trusted sharing of both threat intelligence and incident data.

The third panel shared insights on how artificial intelligence is becoming both a powerful enabler of resilience, while at the same time presenting new risks and emerging threats. The panel highlighted continuous testing, adaptable defenses, and investments in advanced technologies, as well as human judgments, as ways to help manage the emerging AI threat.

And then the final panel looked at the disconnect/reconnect protocols and how important they are for managing third-party risk during operational disruptions. Panelists noted that clearly defined and well-tested disconnect/reconnect procedures enabled firms to isolate affected vendors quickly while minimizing unnecessary disconnections and enabling orderly reintegration once risks are mitigated.

Ultimately, I think the panels really helped deepen the overall findings from the exercise while also allowing participants to receive useful planning insights in real time.

Byron: Yeah. So I agree, Todd. Look, the very good news is that the exercise validated what we thought to be true, right? The industry has embraced polycrisis planning and the public-private collaboration imperative. Todd, maybe you could build on why that is so important.

Klessman: Sure. So, I think those of us in the operational resilience and business continuity world know that neither Mother Nature nor adversaries operate on our preferred schedule. Now, in fact, in the case of bad actors, it's often quite the opposite, where the nefarious individuals are routinely looking to strike when an organization is at its most vulnerable.

So given that, it is essential that organizations periodically test their capabilities to respond to multiple crises at once. And regardless of whether we're talking about an isolated incident or a polycrisis, the public-private collaboration is an invaluable part of successful preparation and response capabilities, both for an individual organization and for the collective financial sector.

Now, no single organization, be it government or industry, has full visibility into the threats, interdependencies, and vulnerabilities that can contribute to systemic risk. So only by combining these perspectives can we anticipate cascading effects, respond decisively to major disruptions, and safeguard the stability of the financial system as a whole.

Byron: Yeah. Thanks for that. Andy, I'm going to pivot straight to you, and maybe we could kind of walk through and cover some of the conclusions that were drawn from the exercise.

Retrum: Sure. There's a few, I think, top of mind. There's a few items that I'll cover just in the discussion now, although I would encourage folks to go to SIFMA's site and download the full after-action report. I think it does a really good job of covering some of the key themes. We also, I think this is maybe the second or third Quantum Dawn, that we've integrated a pretty robust survey for the participants throughout the exercise, and have some really good data included in the after-action report as well.

But maybe a few of the topics I wanted to cover. First is the unknowns. In this instance, I think of all the elements covered across nation-state threats, weather-related events, the one that there was just a bit of uncertainty, and this was reinforced by the survey, is around undersea cable cuts. There were two-thirds of the participants noted that they either hadn't tested those scenarios, those undersea cable cut scenarios, or they were unsure if they had. So that was maybe highlighting a bit of a blind spot for many organizations that participated in the exercise.

The second area is, I think those things that are top of mind. Clearly, I think there's an appreciation for how interconnected things are across the financial sector, and an understanding that a disruption of a third or fourth party will have an impact. I think, there's been a lot of good work done around disconnection and reconnection. That will be a continued area of focus as organizations continue to grapple with how they gracefully go through the process of a disruption of a third-party, a connected party.

And then Todd briefly mentioned artificial intelligence. It's tough not to talk about that these days, and that came up often in the exercise and the survey results, in a number of different ways. AI is, of course, a force multiplier, and there are ways that the technologies and models can be used to build resilience, create a kind of more robust response, playbooks, better understand dependencies, et cetera.

But it's also a risk multiplier, right? The bad actors are looking to AI to more efficiently and effectively do bad things, right? So that's going to continue to evolve, and I think the sector needs to continue to evolve with it and make sure that AI is part of the discussion around responding and recovering from adverse events going forward.

And then finally, and again, this is my fourth. I felt really blessed to be involved with four of these exercises. I'm always left with just an incredible appreciation for the amount of collaboration and commitment from SIFMA and the members, just in terms of collaborating when bad things happen. And it gives me a lot of comfort to know that we've got these types of people, and we saw it in the panels, in person folks who were there. Just the kind of collaboration, the knowledge sharing that occurs when bad things happen. That's what's needed at the end of the day to address these types of events and recover from them. So, as with the prior exercises, always nice to see that level of commitment and collaboration.

Byron: Yeah, thanks for that. I'd certainly echo your sentiments there on the last point. One of the couple of areas that I would call out that I thought were interesting that came out of the panel discussions was when the panel was discussing the sort of aftermath of Hurricane Sandy. The fact that firms had challenges during that storm due to the fact that data centers were located closely together. Over the years, they kind of dispersed those data centers out across the U.S. Now, with the move to cloud computing, you're seeing potentially a reconsolidation of data centers into the sort of cloud providers. I think that is an emerging risk of sort of concentration, potential concentration risk there was an interesting topic that came out of the discussions as well.

I also think just that the physical and cyber risks being combined, right? So where you had the hurricane, plus you had the ongoing cyber attack and the nation state actor taking advantage of that. I think there's increasing sort of focus from the industry around that sort of dual threat combination now around the physical infrastructure, as well as the cyber threat happening simultaneously.

So, Todd, obviously we don't just do a cyber exercise every other year and then pause and wait for the next one. SIFMA is always working on cyber and operational resiliency. What are our next steps following the results of the November exercise?

Klessman: Sure. So the after-action report itself identifies a number of activities SIFMA intends to perform to help improve the financial sector's cyber security and operational resilience, and build off the findings from the exercise that Andy walked us through.

Some of the things that we'll be focusing on include efforts to better understand those telecommunications, cloud, and other third and fourth party interdependencies, socializing and encouraging adoption of reconnection protocols, working with the sector to facilitate good AI governance practices for financial institutions. And then, of course, continuing to sponsor exercises like Quantum Dawn going forward.

Now, since the completion of Quantum Dawn, SIFMA and its partners have taken steps to achieve a number of these activities. So, for example, in December, SIFMA and the Financial Services Sector Coordinating Council, published the latest version of the Reconnection Framework. This is a document that provides updated guidance on the steps a firm compromised by a cyber incident can take quickly and safely to reconnect to the financial ecosystem once the cyber incident has been contained and mitigated.

SIFMA also supported the development of the Cyber Risk Institute's AI Risk Management Framework, which is designed to help financial firms manage the risks associated with AI by operationalizing the NIST's AI Risk Management Framework specifically for financial services sector institutions.

And then lastly, SIFMA is exploring possible exercise scenarios with various domestic and international partners, looking at ways to help ensure the financial sector is prepared to handle changes to resiliency that are stemming from changes to the operating environment. Some of the examples of these operational changes that we are concerned about include the moves to T+1 and extended trading, the expansion of digital assets and tokenized securities, and again, the rapid incorporation of AI into various aspects of the financial services ecosystem.

Byron: Thanks. That was great. And so before we wrap, I did want to just ask one final question, which was really around, if our listeners were to take away one key takeaway from this podcast, what would you have them focus on? Maybe Andy, you go first.

Retrum: Sure, Steve. It's a great question. When we go through these exercises, I'm always left with, I think one key point I try and reinforce with folks, it's that the scenario that you plan for, the event that you plan for, the bad event that you plan for, is never the one that happens, right? It's always something a little bit different or something that you hadn't expected.

So really kind of getting out of the specific details and just having a framework with which to approach the bad event, the adverse event, in a thoughtful way, and having a framework with which to make decisions, I think is the most important point.

Byron: Yeah. I think that's a great point. And Todd, what about you?

Klessman: So for me, the thing I always take away from exercises like this is the importance of building those relationships. I think so much of a strong response is the ability to have trusted partners between the private sector and the public sector, across industries, between firms and their third parties. You don't want to be meeting someone for the first time during an incident response. You want to have that trust built in. It really enables the ability to share information and collectively work together for the best possible outcome.

Byron: Yeah. I think that's a great point. And I think that's why the kind of final day in-person panel sessions that we had at Quantum Dawn VIII really resonated with the group more broadly.

Thank you. And thanks, Andy and Todd, for your thoughtful insights and discussion today. And thank you all for taking the time to tune in.

The Quantum Dawn VIII after-action report is available on our website, and I hope you'll take the time to review it. To learn more about SIFMA and our work to promote effective and resilient markets, please visit sifma.org.