This document is an HTML formatted version of a printed document. The printed document may contain agency comments, charts, photographs, appendices, footnotes and page numbers which may not be reproduced in this electronic version. If you require a printed version of this document contact the United States Securities and Exchange Commission, Office of Inspector General, Mail Stop 11-7, 450 Fifth Street N.W., Washington, D.C. 20549 or call (202) 942-4460.
MARKET CONTINGENCY PREPAREDNESS
Audit No. 359
January 27, 2003
We reviewed the Commission's preparations for responding to contingencies that could affect the markets such as natural or man-made disasters, operational difficulties and market volatility. During the audit we interviewed Commission staff and staff at various exchanges, Electronic Communications Networks (ECNs) and clearing corporations. Our review consisted of three components.
We reviewed the Division of Market Regulation's (MR) response to and changes made as a result of the terrorist attacks of September 11, 2001. We reviewed MR's Automation Review Program's (ARP) oversight of the Self-Regulatory Organizations (SROs), ECNs, clearing corporations and other entities that the Commission inspects (inspected entities) to better ensure these entities have implemented appropriate contingency and business continuity plans. We also reviewed the Commission's Continuity of Operations Plan (COOP).
We found that since the terrorist attacks of September 11, 2001, the Commission took several steps to enhance its capabilities for responding to contingencies, and further enhancements are planned. The ARP program has also made several meaningful recommendations, to better ensure that inspected entities are prepared to respond to various contingences. Although progress is being made, inspected entities have not implemented all ARP recommendations relating to contingency preparedness. Major components of the Commission's COOP are already in place and further enhancements are planned.
We are recommending that MR consider sending ARP staff to the entities that ARP inspects to observe and become more familiar with their operations. We are also recommending that MR explore ways to ensure requested information from the entities that ARP oversees is forthcoming.
In a separate audit memorandum (#26), we made two recommendations related to the Commission's COOP. We recommended that the job requirements of the Commission's two primary COOP coordinators be reviewed to determine whether national security clearances were appropriate and that four Commission offices submit COOP documents to the Commission's COOP coordinators, as requested.
The Commission's written comments are included in appendix II of this report.
OBJECTIVES AND SCOPE
Our objective was to review the Commission's preparations for responding to market contingencies, including natural or man-made disasters, market volatility and operational difficulties.
During the audit, we interviewed Commission staff, reviewed available documentation and observed operations and communications in the Commission's MarketWatch room.
We interviewed officials at selected Self-Regulatory Organizations (SROs), Electronic Communications Networks (ECNs), clearing corporations and other inspected entities.
We did not evaluate the contingency plans of broker-dealers or make determinations related to any potential effects broker-dealer contingency plans (or lack of contingency plans) would have on the Commission's ability to react to various contingencies.
At the time of our review, the General Accounting Office (GAO) was conducting a review of the ARP program. We contacted GAO and in light of GAO's review, we modified the scope of our review of the ARP.
The audit was performed from June 2002 to December 2002 in accordance with generally accepted government auditing standards.
Automation Review Program
MR's ARP program consists of a team of ten computer specialists and information systems auditors, including the team's direct supervisor. Their duties include overseeing at least 35 entities1 by conducting risk assessments and on-site inspections, tracking system outages and systems changes, reviewing various reports and acting as a liaison with the information system staff of these entities. Under the ARP program, these entities voluntarily follow Commission guidance.
ARP staff review these entities to help ensure that they have sufficient contingency preparedness plans in place, adequately assess risks to their operations due to internal and external threats, have sufficient processing capacity for current and future estimated trading volumes, and have adequate system controls over data security, telecommunications systems, software application and system development and computer operations.
Since the terrorist attacks of September 11, 2001, ARP staff have routinely included a review of contingency preparedness plans and data security in their on-site inspections.
Two policy statements, ARP I and II, issued by the Commission in 1989 and 1991, outline the ARP program's objectives and the Commission's expectations for inspected entities' reporting.
The Commission's Continuity of Operations Plan (COOP) is an effort to ensure the continued performance of essential Commission functions during and after an emergency, disaster or other disruption of normal business operations. As part of the Commission's COOP, each office and division was asked to develop plans and procedures to continue its own operations in the event of various contingencies.
During our audit, the Commission was in the process of fully implementing the COOP and making significant portions available on a secure website. Several key components of this plan, related to information technology were already in place during our review. The Commission continues to work with other Federal government and state agencies to coordinate contingency preparedness plans.
Overall, the Commission appears to be adequately prepared to respond to operational contingencies and market volatility. The ARP program's inspections of the entities it oversees has resulted in the implementation of useful recommendations, aimed at helping ensure business continuity in the event of various contingencies.
We are recommending that, in addition to sending ARP staff on-site for inspections, MR consider sending ARP staff to the entities that ARP oversees to observe and become familiar with their operations for training purposes. We are also recommending that MR explore ways to better ensure the receipt of requested information from the entities that ARP oversees. We found that inspected entities have not implemented all ARP recommendations relating to contingency preparedness. These recommendations may require a substantial amount of time to obtain budget approval from Boards and implement, according to ARP staff.
To ensure timeliness, we issued an audit memorandum during the audit containing two recommendations related to the Commission's COOP; the memorandum is attached.
We provided a summary of the comments made by senior staff at the SROs, ECNs, clearing corporations and other entities that ARP oversees to MR officials during the audit.
RESPONSE TO SEPTEMBER 11, 2001
Following the terrorist attacks of September 11, 2001, the Commission took several initiatives to enhance its capability to respond to contingencies. For example, the Commission established a backup MarketWatch room, trained staff to operate this room, enhanced market-monitoring and communication systems, improved secure telephone lines linking the Commission with other agencies, expanded evacuation plans, obtained national security clearances for key staff involved in market oversight operations, and enhanced a directory of key persons the Commission would likely need to contact in the event of a contingency.
Commission staff continue to work with other Federal and State agencies to strengthen business continuity planning in the financial sector. Additionally, the Commission worked with other Federal Regulators on a "White Paper," which proposes practices to strengthen the resiliency of U.S. financial systems.
MR surveyed a range of market participants to find out what lessons were learned from the events of September 11, 2001 and solicited ideas on how the Commission and securities industry could work together more effectively in the event of future crises.
Whenever a credible warning is issued (e.g., Homeland Security raises the nationwide threat level to "orange" or "high") that could threaten the Washington, DC metropolitan area or the financial markets, MR sends trained staff to operate the back-up MarketWatch room. This better ensures that the backup room is timely staffed in the event of an evacuation of the Commission's main headquarters building.
Our observations of the MarketWatch room indicated that its staff continually monitored the markets and were aware of their responsibilities.
We commend Commission staff for their efforts in better ensuring the Commission is able to respond to various contingencies.
AUTOMATION REVIEW PROGRAM
During our review of ARP's oversight of SROs, ECNs, clearing organizations and other inspected entities, several issues came to our attention. GAO has also commented on and/or made recommendations related to some of these issues in a July 2001 report2.
SRO, ECN and clearing corporation officials informed us that the Commission's ARP reviews would be more valuable to them if newer ARP staff had increased knowledge of the systems and key operations used by the inspected entities. These officials were receptive to and/or offered to provide ARP staff an opportunity to observe and become familiar with their information technology (IT) systems that are inspected by ARP staff. They believe such training would provide the ARP staff with an increased level of knowledge about their operations.
Provided that new ARP staff first gain a base level of knowledge from available documentation and IT training classes, we believe that periodic on-site observation would be an efficient way to become familiar with inspected entities' operations. On-site observation could also be useful to ARP staff when there are significant changes in an entity's business operations and technological systems. Relevant staff could go on-site to learn about such changes and study new systems.
MR should send ARP staff to the SROs, ECNs, clearing corporations and other entities that ARP oversees, for on-site observation, as resources and workloads permit.
During our review, ARP officials informed us that they periodically send ARP staff to inspected entities for on-site observation. Additionally, some entities have conducted training at the Commission for ARP and other Commission staff.
Some SROs/ECNs Do Not Promptly Respond to Information Requests From ARP Staff
To assist ARP in its oversight function, the inspected entities are expected to send to ARP various information including:
· Written notification of significant system outages ("System Outage Notification");
· Advance notice of significant changes to automated systems ("System Change Notification");
· External and/or internal auditor or consultant reports;
· Updates on contingency capabilities; and
· Progress updates related to various initiatives.
These expectations have been communicated to the inspected entities and are provided for in ARP Policy Statements I and II. However, these entities do not always forward this information to ARP or it is forwarded following repeated requests from ARP staff.
In mid-2001, a senior-level MR official sent a memorandum to the SROs and Nasdaq reiterating the expectation that these entities would send System Outage Notification and System Change Notification reports to ARP staff. This memorandum contained a detailed explanation of the types of events triggering these notification reports. Also, in a mid-2001 conference call, the Director of Market Regulation reminded the SROs to notify ARP staff immediately of system outages and provide follow-up reports. Despite these reminders, some entities do not timely forward these documents to ARP.
ARP staff indicated that the inspected entities may not make sending these documents to ARP a priority. GAO also noted that SROs do not consistently provide information to ARP.3
MR should work out an approach to better ensure the timely receipt of information from the inspected entities. If MR is not able to improve the satisfactory receipt of information within 12 months of this report's issuance, MR should inform the Commission and recommend action on this issue.
Outstanding ARP Recommendations Related to Contingency Preparedness
We reviewed a listing of ARP program recommendations, as of September 17, 2002, related to contingency preparedness and large trading volume, known as capacity. 4 We found that the ARP program has made more than 350 recommendations and has closed out a high percentage of these recommendations, ensuring the adoption of several recommendations related to contingency preparedness.
We also identified several open recommendations, which, if not implemented, could result in operational difficulties. These recommendations have all been open for at least a year (as of September 17, 2002).
For example, some entities have not complied with recommendations to fully test their disaster recovery plans or to do so periodically. At least one entity has not documented or implemented its disaster recovery plan and another has not implemented a business recovery plan for its related trading facilities.
Some entities have not implemented ARP recommendations relating to their ability to ensure that their information technology systems have adequate processing capacity for current and future estimated trading volume.
Additionally, since 1993, 1994 and 1998, respectively, the ARP program recommended that the New York Stock Exchange (NYSE), the American Stock Exchange (AMEX); and the Chicago Board Options Exchange (CBOE) each consider installing an off-site backup trading floor that could be used in the case of a disaster. We commend the ARP program's foresight in making these recommendations.
Although these exchanges considered ARP's recommendations, up until September 11, 2001, they contended that it would not be cost-effective to install backup trading floors. However, immediately after the terrorist attacks of September 11, 2001, the NYSE and AMEX undertook initiatives to establish off-site back-up trading floors. CBOE, however, is still reluctant to establish an offsite back-up trading floor, citing cost-effectiveness as a reason.
ARP officials have communicated outstanding recommendations to the senior staff of inspected entities. Additionally, the ARP program has a procedure for communicating recommendations to the Director of Market Regulation and, if necessary, to the Commission in situations where an SRO's response to a recommendation is unsatisfactory. In at least two instances, the Director of Market Regulation or an Associate Director wrote letters to address issues or recommendations that the entities were not addressing. One letter was instrumental in resolving an issue and another was successful in getting an entity to reconsider implementing certain recommendations. Unimplemented ARP recommendations, however, have not formally been brought to the attention of the Chairman or Commissioners for resolution.5
A GAO report, dated July 2001, suggested that the program's voluntary status affects the program's oversight ability. This report stated that
"...by issuing only voluntary guidelines, SEC staff have no specific rules to require SROs to implement key ARP recommendations or create the reports or notices called for in the policy statements and cannot sanction SROs under the ARP program for failing to do so."6
This GAO report also recommended that the ARP staff develop a process to bring significant unimplemented ARP program recommendations to the attention of the Chairman and the Commissioners.7 We agree with this recommendation.
The ARP program has made efforts to reduce the number of outstanding recommendations. Because of these efforts and GAO's recommendation above, we are not making additional recommendations.
AUDIT MEMORANDUM NO.26
September 30, 2002
To: Robert Herdman
From: Walter Stachnik
Re: Continuity of Operations Planning (COOP)
We performed a survey of the Commission's Continuity of Operations Planning (COOP) in conjunction with an on-going review of the Commission's market contingency preparedness operations. Staff in the Office of Administrative and Personnel Management (OAPM) and the Executive Director's Office (OED) are responsible for ensuring that the Commission's COOP is complete and operational.
NATIONAL SECURITY CLEARANCES
During our survey, we found that OAPM and OED staff assigned to the Commission's COOP operations did not have a national security clearance. In some instances, this prevented Commission staff from reading classified documents that they contributed to. It also prevented them from engaging in discussions with other Agency staff about possible threats, certain contingency operations and sensitive matters.
Additionally, only staff with national security clearances is generally privy to credible threats received by a Federal Government Agency. This lack of information could prevent a trained COOP staff from reacting timely or properly in an emergency.
OED, in conjunction with OAPM should (1) review the job requirements of OED and OAPM staff involved in the Commission's COOP, (2) reclassify appropriate job positions as national security for appropriate staff, and (3) obtain national security clearances for the staff in the reclassified positions.
After issuance of the draft memorandum, OED and OAPM senior officials stated that they had reviewed the job requirements of their COOP staff and that, currently, national security clearances are unnecessary for OAPM and OED staff assigned to the Commission's COOP operations. They said they would reclassify job positions as national security and obtain national security clearances for appropriate staff, in the future, if needed.
SUBMISSION OF COOP PLANS
COOP coordinators in OAPM and the OED requested contingency plans from each office and division within the Commission. These plans include contact information for all employees, a listing of essential personnel, lines of succession, calling trees, identification and contact information for key customers and vendors, and identification of key processes and vital records. Each office and division was also asked to provide a written overview of the functions its staff is to perform when a COOP plan is activated.
Some offices have not submitted the requested plans, including the Offices of the Executive Director, the Executive Staff, the Secretary, and the Chief Accountant.
The Offices of the Executive Director, the Executive Staff, the Secretary and the Chief Accountant should submit requested COOP documents by October 8, 20028.
cc: Harry Fleming
1 The ARP program currently oversees the following organizations: 11 exchanges/markets; 8 clearing corporations; 10 ECNs and at least 6 other inspected entities. These entities include electronic trade processing organizations, organizations with pending applications for registration, and industry initiatives that ARP staff devote resources to.
2 GAO report number GAO-01-863: "Information Systems: Opportunities Exist to Strengthen SEC's Oversight of Capacity and Security."
3 GAO report number GAO-01-863, pp.17-18.
4 We included a review of capacity-related issues in our overall review of contingency preparedness because an entity's failure to handle large trading volumes could lead to market disruptions and other operational difficulties.
5 Prior to 1997, draft ARP inspection reports were sent to the Chairman and Commissioners for approval.
6 GAO report number GAO-01-863, p.16.
7 GAO report number GAO-01-863, p.21.
8 The related draft memorandum, dated September 13, 2002, also recommended the submission of these documents.