Speech by SEC Staff:
Disaster Recovery and Business Continuity Planning
Mary Ann Gadziala
U.S. Securities and Exchange Commission
Financial Markets Association 2003 Compliance Seminar
May 1, 2003
The Securities and Exchange Commission disclaims responsibility for any private publication or statement by any SEC employee or Commissioner. This speech expresses the author's views and does not necessarily reflect those of the Commission, the Commissioners or the other members of the staff.
Business continuity planning and disaster recovery in financial services are not new concepts. They have been a part of risk management for many years. However, until recently, planning focused on localized disasters or failures office building fires, local blackouts, computer overloads, and even rodents eating through wires. At the government level, we did conduct some business continuity planning for the financial system based on scenarios of more wide-scale disasters. However, this work was theoretical and generally lacked a sense of urgency.
That all changed on September 11, 2001. Potential became reality in a previously unimaginable way. The terrorist attacks resulted in a wide-scale disaster in our most highly concentrated financial services area. Market based and geographic concentrations significantly exacerbated disruptions. Because of critical interdependencies, problems at key New York City infrastructure providers disrupted operations at distant institutions. Unanticipated financial system vulnerabilities were exposed as a consequence of this unprecedented disaster. Some back-up facilities were too close to primary facilities and both were disrupted or inaccessible. Other facilities were inadequate, had multiple potential occupants, or lacked critical equipment. Single points of failure in perceived diverse routing resulted in failed back-up communications systems. While the 9/11 attacks caused significant loss of life and physical destruction in our largest financial center, the stock and options markets reopened successfully with record trading volumes on September 17, less than a week after the disaster.
Since the terrorist attacks of 9/11, there has been a significant increased focus on and sensitivity to business continuity planning and disaster recovery. At the SEC, our particular focus is on the capital markets. The SEC and other financial regulatory agencies have participated in numerous discussions among themselves and with the markets and industry, and produced several white papers and other pronouncements on business continuity planning in the financial services sector. This morning, I will focus on two recent publications: the Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System;" and proposed NASD and NYSE rules on business continuity planning. I will also summarize the coverage of our SEC examinations in this area.
On April 7, 2003, the Federal Reserve, OCC and SEC issued the "Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System". The paper identified three new business continuity objectives for all financial institutions with special importance in the post 9/11 risk environment. It also identified four sound practices to ensure the resilience of the U.S. financial system. These practices focus on minimizing the immediate systemic effects of a wide-scale disruption on critical financial markets.
The three business continuity objectives are:
- Rapid recovery and timely resumption of critical operations following a wide-scale disruption;
- Rapid recovery and timely resumption of critical operations following the loss or inaccessibility of staff in at least one major operation location; and
- A high level of confidence, through ongoing use or robust testing, that critical internal and external continuity arrangements are effective and compatible.
All financial firms have a role in improving the resilience of the financial system because of the interdependence in the network of interrelated markets and participants. Therefore, the agencies concluded that all financial firms should review their business continuity planning and incorporate these three broad objective to the fullest extent practicable. Both short-term measures and long term recovery plans should be covered. Recognizing the unique characteristics and varied risk profiles of firms, the agencies did not specify particular requirements. However, the proposed SRO rules, which I will discuss later, do provide some guidance.
As I mentioned, the Interagency Paper also identified four broad sound practices for core clearing and settlement organizations and firms that play significant roles in critical financial markets.
The sound practices are:
- Identification of clearing and settlement activities in each critical financial market in which a firm is a core clearing and settlement organization or plays a significant role.
- Determination of appropriate recovery and resumption objectives for clearing and settlement activities in support of critical markets. Core clearing and settlement organizations should develop the capacity to recover and resume activities within the business day on which the disruption occurs. The overall goal is to resume operations within two hours. Firms that play significant roles in critical financial markets should plan to recover as soon as possible after resumption of core clearing and settlement operations. This should be done the same business day, with an overall goal of a four- hour recovery time.
- Maintenance of sufficient geographic dispersion of resources to meet recovery and resumption objectives. Specific mileage requirements are not prescribed. However, back-up sites should not rely on the same infrastructure components used by the primary site, and back-up operations should not be impaired by a wide-scale evacuation or inaccessibility of staff that services the primary site.
- Routine use or testing of recovery and resumption arrangements. Testing should not only cover back-up facilities of the firm, but connections with the markets, core clearing organizations, third party service providers, and, as appropriate, major counterparties and customers. Connectivity, functionality and volume capacity should be covered.
The Interagency Paper generally states that core clearing and settlement organizations should substantially achieve the sound practices by the end of 2004, and firms that play significant roles in critical financial markets should do so as soon as practicable, but generally by April 2006.
I shall now turn to the proposed NASD and NYSE rules on business continuity planning. For the NASD they are Rules 3510 and 3520; for the NYSE it is Rule 446. The proposed rules would require member firms and their organizations to develop, maintain, review and update written business continuity and contingency plans. The plans must be reasonably designed to enable the organization to continue its business in the event of a significant business disruption. An annual review of the plan is required and the firm must designate a senior officer as responsible for the plan.
At a minimum plans would be required to address the following:
- books and records back-up and recovery (hard copy and electronic);
- mission critical systems;
- financial and operational assessments;
- alternate communications with customers and employees;
- business constituent, bank and counter-party impact;
- regulatory reporting; and
- communications with regulators.
The NYSE also includes alternate physical location of employees as a plan requirement. Amendments to the proposed rules are now out for comment and final rules will be published when all issues have been resolved.
The final topic I would like to cover is the SEC examination of a firm's business continuity planning. This review is part of our Internal Controls and Risk Management examination. It is covered under the section on operational risk.
Some areas we cover are:
- senior management involvement;
- adequacy of resources;
- review and update of the plan;
- employee training;
- coverage of critical areas;
- back-up facilities;
- coverage of third party vendors and major counterparties and customers;
- short-term and long term strategies;
- communication alternatives; and
- data back-up timing and capacity.
We will look to the general objectives and sound practices articulated by the regulatory agencies when we conduct our evaluations. As agency pronouncements and rules provide more specific requirements, we will look for compliance with those requirements.
We have come a long way in business continuity planning and disaster recovery since the 9/11 terrorist attacks. We are now better prepared to deal with wide-scale disasters. However, this is an ongoing process and because of the interdependencies within the capital markets, we all need to work on a coordinated business continuity planning approach. The goal is to minimize systemic disruptions, and maintain a high level of confidence in the ability of our financial services sector to perform its vital economic functions.
Thank you for your time and attention.