ici 2024 网络行业桌面演习：行动后报告

Contents “Through our Cyber Industry Tabletop Exercise, ICI members hadthe invaluable opportunity to evaluate their response and recoverycapabilities and explore the best strategies to fortify them. Cybersecurityis a responsibility of every person and firm in our industry, and ICI isdedicated to doing whatever we can to work with our members andstrengthen our collective resilience to evolving cyber threats.” Eric Pan, President and CEO, Investment Company Institute The content contained in this document is proprietary property of ICI and should not be reproduced or disseminated withoutICI’s prior consent. It is not intended to be, and should not be construed as, legal or investment advice. Each firm should makeindependent decisions, if any, based on the information in this document and other appropriate considerations. ICI Cyber Industry Tabletop Exercise 2024:AFTER-ACTION REPORT Overview The asset management industry faces an escalating battle against cybercriminals employingincreasingly sophisticated tactics. From state-sponsored attacks to ransomware-as-a-service (RaaS)platforms enabling low-skilled criminal infiltrations, the threat landscape is more complex thanever. Unlike cyber-attacks that focus on service disruption of a common industry service provideror infrastructure without necessarily seeking direct financial gain, ransomware attacks are moreisolated in scope and are focused on extorting victims. Ransomware attacks are increasing and createsignificant commercial and reputational risks for the affected organization, often requiring substantialtime and resources to mitigate. These attacks can also have spill-over reputational and operationalimpacts on related industry organizations. To address the common risk of a ransomware cyber-attack, the Investment Company Institute (ICI)hosted an in-person industry tabletop exercise on July 24, 2024, at AllianceBernstein in New York, NY.Thirty-three (33) ICI member firms and over fifty (50) attendees, including facilitators and observers,participated in the exercise, which was planned and facilitated by ICI and volunteers from its ChiefInformation Security Officer (CISO) and Business Continuity Planning (BCP) committees.* The objectives of the tabletop exercise were as follows: 1.to provide a forum for collaboration and information sharing under simulated stressedconditions,2.to raise participant awareness of ransomware considerations, and3.to allow participant firms to practice and enhance their crisis management and cyber incidentresponse plans and recovery strategies. Simulating a ransomware attack on a single ICI firm over a three-day period, participants were askedto assume the impacted firm was their own, and that all financial markets, counterparties, and serviceproviders were otherwise operating normally. From this perspective, participants assessed andresponded to common questions within small group assignments and with the broader group aboutresponse plans and recovery strategies while considering various business, client, risk, compliance,and technology considerations. Scenario and Methodology The tabletop exercise followed a scenario wherebya fictitious cyber-criminal organization “Lockbit X”successfully stole administrative credentials to assumecontrol of the hypothetical ICI firm’s corporate network. Introduction At 11:15 AM ET on a Thursday, the IT service deskreceived reports of workstation and connectivity issuesfrom Fund Operations employees. Initially assumedto be a common technology infrastructure issue, thesituation escalated rapidly. ICI organized exercise participants into groups of6–8 participants led by a facilitator. These groupsreflected both the diversity of participating firm size andparticipants’ business and technical expertise. Groupsresponded to questions at three distinct points in thetimeline of the exercise, reporting responses to thebroader group as the exercise progressed. By 11:45 AM ET, the outages had spread to a largepart of the firm, and employees were locked out of theirworkstations. A ransomware message appeared ontheir screens, demanding $35 million in Bitcoin within24 hours, or $70 million if the deadline was missed. INJECTION 3:Day 2 to Day 3+ INJECTION 1:Day 1 (First 2 Hours) INJECTION 2:Day 1 (3 to 8 Hours) Situational Update (Day 2):Corporate network remainslocked. Outage estimated to extend into the weekendand possibly into next week. Crisis Management Teamand external legal counsel advise not to pay the ransom.Alternate means of external communication are being used.Clients remain concerned. Cash reserves and credit lines arestressed to meet increased cash flow demands. »Internal Events:Employees still locked out,communication systems down, response teaminvestigating.»External Events:Counterparties and clients noticethe outage, news spreads on social media. »Internal Events:All employees, includingcybersecurity and technology teams,are locked out of the company network.Corporate com