Recovery and Renewal: Protecting the Capital Markets Against Terrorism Post 9/11
Robert L. D. Colby
Deputy Director, Division of Market Regulation
U.S. Securities and Exchange Commission
Before the House Subcommittee on Capital Markets, Insurance, and Government Sponsored Enterprises, Committee on Financial Services
February 12, 2003
Chairman Baker, Ranking Member Kanjorski and Members of the Subcommittee:
I appreciate the opportunity to testify before you today, on behalf of the Securities and Exchange Commission, regarding the efforts since the September 11 terrorist attacks to better protect U.S. financial markets and institutions. My testimony will focus primarily on the steps taken by the Commission and the securities industry to strengthen the resilience of the securities markets over the past 17 months. I also will briefly discuss the Commission's longstanding program to review key automated systems that support the U.S. financial markets. In so doing, I will address, in general terms, issues raised in the Report released today by the U.S. General Accounting Office (GAO) regarding certain additional actions to better prepare critical financial market participants for potential terrorist attacks.1
I. Resilience of Securities Markets
As the GAO recognizes in its Report, participants in the U.S. financial markets made heroic efforts to recover from the devastation of the September 11 attacks, with the result that all markets reopened successfully within a week after those tragic events. Nevertheless, the Commission, other regulators and the industry have engaged in wide-ranging and intensive efforts to consider the "lessons learned" from the events of September 11, and strengthen the resiliency of the financial sector, so that we are even better prepared going forward.
A. Industry Efforts
Immediately after the September 11 attacks, the securities industry recognized the need to develop more rigorous business continuity plans that address problems of wider geographic scope and longer duration. Market participants have taken a number of significant steps to improve their resiliency, including establishing more robust and geographically dispersed backup facilities for operations and data recovery, improving crisis management procedures, and seeking telecommunications diversity. Given the highly-interconnected nature of the financial sector, the business continuity efforts of market participants must be coordinated to be effective, and various industry associations have been instrumental in this regard. Last summer, for example, the Securities Industry Association developed a number of "best practices," relating to business continuity programs, recovery strategies, and recovery resources, that it recommends be observed by all securities firms. In addition, the securities industry has taken concrete steps to reduce its vulnerability to telecommunication failures. The Securities Industry Automation Corporation (SIAC), for example, has developed a private, highly-resilient communications network known as the "Secure Financial Transaction Infrastructure" or "SFTI" to offer market participants local connectivity to key trading, clearance and settlement, and market data services.
B. Regulatory Efforts
The Commission and other financial regulators also have been devoting substantial resources to projects designed to strengthen the resilience of the financial sector. For example, the Commission has been working with the Federal Reserve Board and the Office of the Comptroller of the Currency in an effort to identify "sound practices" for business continuity planning for key market participants. This past August, we published for comment a draft White Paper that focused on a small but critical group of participants in the U.S. clearance and settlement system. The goal of this project is to minimize the immediate systemic effects of a wide-scale disruption by assuring that the key payment and settlement systems can resume operation promptly following a wide-scale disaster, and major participants in those systems can recover sufficiently to complete pending transactions. In this way, market participants unaffected by the disaster could continue to operate with minimal disruption and, when those impacted by the event are in a position to resume operations, the critical infrastructure would be available for them to do so. The sound practices include intraday resumption or recovery goals, maintenance of sufficient geographically dispersed resources to meet those goals, and routine testing of business continuity arrangements. The agencies expect to issue the final White Paper next month, after an additional round of consultations with the industry, and then incorporate the sound practices into their respective forms of supervisory guidance.
In addition, Commission staff has been reviewing, on an ongoing basis, the efforts of the organized securities markets the exchanges, Nasdaq, and electronic communications networks (ECNs) to strengthen their resilience in the post-September 11 environment. As noted in the GAO Report, these markets have taken a variety of steps to improve their physical security, information system protections, and business continuity capabilities. For example, the New York Stock Exchange has taken substantial measures to physically secure its Wall Street trading floor, and has established an off-site alternative trading floor that could be activated on a next-day basis if the exchange's Wall Street trading floor was rendered inaccessible. Commission staff continues to work with these markets to further increase the robustness of their individual plans. In addition, we have been exploring with the markets the possibility of mutual back-up arrangements. For example, at our urging, the New York Stock Exchange and Nasdaq have agreed to serve as back-up trading platforms for each other's securities if a catastrophic event forced an extended closure of one market. We continue to work with the New York Stock Exchange and Nasdaq as they assess, with key market participants, the optimal framework for these back-up arrangements.
As to the resilience of securities firms, the New York Stock Exchange and NASD have proposed rules that would require all broker-dealers to have business continuity plans that address a number of important areas. Specifically, under the proposed rules, member firms would need to develop, maintain, review, and update business continuity plans which establish procedures to be followed in the event of an emergency or significant business disruption. Among other things, these procedures would have to address data back-up and recovery, mission critical systems, ongoing financial and operational assessments, and alternate communications links. The Commission expects to complete its review of these proposed rules shortly. We also have been working with relevant industry associations such as the Securities Industry Association and The Bond Market Association on their members' business continuity and disaster recovery efforts.
Further, the Commission and a number of other financial regulatory agencies (including the Department of the Treasury, Federal Reserve Board, Commodity Futures Trading Commission, Office of Comptroller of the Currency, and Office of Thrift Supervision) participate in the Financial and Banking Information Infrastructure Committee (FBIIC). As you know, FBIIC is designed to coordinate the oversight programs of individual regulators with the President's Critical Infrastructure Protection Board (for potential cyber threats) and the Office of Homeland Security (for potential physical threats). FBIIC initiatives include evaluations of the vulnerability of critical assets for markets and payment systems, improvements in interagency secure communications systems, and the development of protocols for disseminating potential threat alerts from the Office of Homeland Security to regulated entities. In addition, the Commission has joined other FBIIC agencies to ensure that key market participants are able to take advantage of government-sponsored programs designed to facilitate critical telecommunications during emergencies, and to speed the restoration of essential telecommunications lines following a catastrophic outage.
Finally, I should note that the Commission has been working with Federal Emergency Management Agency and New York City and State authorities to improve coordination in the event of future disasters. In particular, we have been focusing on efforts to facilitate the rapid restoration of critical infrastructure services such as telecommunications, power, water, and transportation in New York City to key participants in the securities markets following any future catastrophic event in that area.
C. Policy Considerations: Resumption of Clearance and Settlement vs. Resumption of Trading
To date, as the GAO Report correctly indicates, the Commission's intensive efforts have focused on assuring the resilience of the U.S. clearance and settlement system. In our view, the clearance and settlement infrastructure is the single most critical element of the securities markets. As a practical matter, securities transactions cannot be completed in the absence of a functioning clearance and settlement system and, were this system to become incapacitated, the accumulation of failed transactions could create financial exposures in the clearance system and significant systemic risk. This also could make the eventual reopening of the markets all the more difficult. For these reasons, the Commission has given priority to initiatives that assure the prompt implementation of rigorous business continuity plans by these critical entities.
The GAO Report recommends that the Commission do more to assure the resumption of trading by the securities markets and broker-dealers following a major disaster. As noted in the staff's formal comment letter, we share the GAO's views regarding the importance of emergency preparedness of the financial markets, and generally agree with the Report's principle that the financial markets should be prepared to resume trading in a timely, fair and orderly fashion following a catastrophe. By the same token, we also are of the view that individual markets and securities firms are less critical to the securities markets than the key clearance and settlement utilities. For one, trading activity is relatively fungible across markets. In today's diverse U.S. national market system, we find that very few securities are traded only in one market. As a result, we believe that, were any single securities market to become incapacitated, trading could be shifted to one or more of the remaining markets. Of course, sufficient advance preparation is required for any such arrangement to work smoothly and promptly and, as I indicated earlier, Commission staff is in the midst of just such an effort.
As to the resumption of trading by securities firms, in our view, strong business incentives exist for broker-dealers to develop robust business continuity plans for their trading operations. Trading operations, of course, are a source of significant revenue for broker-dealers, and few would risk a situation where their competitors are in a position to trade and they are not. Besides the short-term loss of revenue that would result from this circumstance, there would exist a real possibility of business shifting permanently to more resilient competitors. In addition, customers and counterparties increasingly are seeking assurances that firms have taken appropriate steps to assure their ability to function in the face of even the largest catastrophes.
We also would be concerned with any broad notion that broker-dealers be compelled to resume trading activities. As the staff points out in its comment letter, a broker-dealer's provision of liquidity to the market is voluntary. Because risking capital and providing brokerage services are in essence business decisions, a broker-dealer's choice whether to continue to trade on an ongoing basis or in a crisis is not primarily a matter of government regulation; rather it is governed by the costs involved, relationships with customers, and profitability. Nevertheless, we believe that broker-dealers should provide customers with access to funds and securities in their accounts as soon as is physically possible, and that business continuity planning expectations must reflect this consideration.
Finally, we note that there are critical policy considerations related to the reopening of the trading markets following a major disaster that could suggest not pursuing the speediest possible recovery. In the event of a disruption of the securities markets, the Commission has a fundamental regulatory interest in assuring the prompt yet smooth resumption of trading. Deciding when to reopen the markets will involve an assessment of the operational capabilities of the markets and major market participants, as well as the clearance and settlement system. Difficult judgments may be required to strike the appropriate balance between the desire to resume trading as soon as possible, and the practical necessity of waiting long enough to minimize the risk that, when trading resumes, it will be of inferior quality or interrupted by further problems. For example, in the aftermath of the September 11 events, many praised the decision to wait until Monday, September 17, to reopen the equities markets, as it allowed market participants the preceding weekend to test connectivity and systems, and thereby better assure the smooth resumption of trading.
D. Further Commission Action
Despite these policy considerations, we nevertheless agree with the GAO that more needs to be done to prepare the securities markets for the resumption of trading in the event of a crisis. Specifically, the Commission intends to consider whether it should identify a time frame against which markets should plan to resume trading following a wide-scale regional disaster. By establishing a specific resumption goal, we would provide the securities markets with a consistent benchmark to use in developing more resilient business continuity plans. Such a benchmark could be incorporated into the Commission's existing guidance to markets in this area. That said, we reiterate that, even if the markets are able to resume trading from a technical standpoint, it may not be wise to do so in a given situation if there is significant risk of additional disruptions, or if trading is likely to be of inferior quality. The Commission also intends to continue to work with the New York Stock Exchange, Nasdaq, and the other organized securities markets to develop and test mutual back-up arrangements for various scenarios. Finally, the Commission will work with the markets to increase the resilience of important shared information systems, such as the consolidated market data stream generated for the equity and options markets.
Any timing goal established for the resumption of the trading markets could serve as a useful resumption benchmark for securities firms as well. As previously noted, securities firms have strong business incentives to be prepared to participate in the markets whenever their competitors are in a position to do so. Accordingly, a resumption benchmark for the securities markets may very well act as a de facto benchmark for broker-dealers. In addition, the Commission will consider developing standards, in conjunction with the self-regulatory organizations, to help assure that broker-dealers are able to provide customers prompt access to their funds and securities, even in the face of a wide scale regional disruption.
II. Automation Review Policy (ARP) Program
The GAO Report also recommends that the Commission improve its oversight of operations risk by issuing a rule to require exchanges and clearing organizations to engage in practices consistent with its Automation Review Policy (ARP) program, and by expanding the resources dedicated to the ARP program.
Let me begin by giving you a brief overview of the Commission's ARP program. As a result of our experience during the October 1987 market break and the October 1989 market decline, the Commission issued two Automation Review Policy (ARP) statements regarding the use of technology in the securities markets.2 The Commission's Division of Market Regulation established the ARP program to implement the ARP statements. The goal of the ARP statements is to reduce the likelihood that market movements are the result of confusion or panic resulting from operational failure or delays in automated trading and trade dissemination systems. The ARP program implements the ARP statements by assessing the development and management of the automated systems at the exchanges, Nasdaq, clearing organizations, and large electronic communications networks (ECNs). These automated systems are reviewed with respect to capacity, security, systems development methodology, telecommunications, and contingency planning. Commission staff monitor significant interruptions to service in these trading and clearing systems and obtain a periodic update from each organization on present and future developments in their automation systems.
The Commission is dedicated to achieving the goals of the ARP statements. We recognize the critical role that technology plays in the securities industry and, specifically, the importance of having in place adequate safeguards and controls over information resources to ensure reliable and timely trading services to investors.
The events of September 11 underscored the financial markets' critical and increasing dependence on the integrity of their systems infrastructure. The impact of the disaster on market operations confirmed the value of having in place controls over the automated systems that support the U.S. financial markets, including effective contingency plans to facilitate continued trading. In this regard, we share the GAO's views regarding the importance of emergency preparedness of the financial markets.
New technologies that support the financial markets are constantly emerging. The September 11 attacks revealed new market vulnerabilities attributable to catastrophic events that had not been previously contemplated. Similarly, the Commission's approach to reducing the risk of a systems-related market disruption is an evolving one, which must adjust to these developments. In light of the GAO's recommendations, we will consider alternative mechanisms to improve the effectiveness of the Commission's automation oversight, including the appropriateness of rulemaking. We also will assess the additional resources that may be necessary to accomplish the objectives reflected in the ARP statements and the GAO Report.
Thank you for the opportunity to testify before you today. I would be happy to answer any questions you may have.
1 Report to Congressional Requesters of the United States General Accounting Office entitled Potential Terrorist Attacks: Additional Actions Would Better Prepare Critical Financial Market Participants (February 12, 2003).
2 Securities Exchange Act Release Nos. 27445 (November 16, 1989) [54 Fed. Reg. 48703] (ARP I) and 29185 (May 9, 1991) [56 Fed. Reg. 22490] (ARP II).