U.S. regulators urge firms to improve business continuity and disaster recovery plans

Futures and securities firms should review their industry-wide and internal business continuity and disaster recovery plans to improve responsiveness to significant disruptions and reduce recovery time, their regulators said Friday in a staff advisory.

U.S. regulators have been particularly concerned over how financial firms plan for disasters since the attacks of September 11, 2001, and through the President’s Working Group on Financial Markets during the administration of George W. Bush urged the industry to strengthen its defenses. The concerns have included flooding following Hurricane Katrina and the threat of an influenza pandemic, and are growing.

The Securities Industry and Financial Markets Association, a securities industry trade group, in July tested resilience to a cybersecurity threat. Preliminary reports of the “Quantum Dawn” exercise were positive, and SIFMA will release a more detailed report, a spokesperson told Compliance Complete.

The regulatory guidance followed a review of the responses to the disruptions in the northeastern states following Hurricane Sandy, which closed U.S. equity and options markets on October 29 and 30, 2012. Many firms located south of midtown Manhattan and on the New Jersey side of the Hudson River were closed much longer, as were public and vehicular transit, and electrical, water and sanitary facilities.

The storm was the fifth time in as many decades that U.S. capital markets were, in a sense, blacked out, but none of these events struck while the markets were open. Power outages in 1965, 1977 and 2003 darkened Wall Street after the close of the markets, the 9/11 attacks began before the opening bell, and Sandy hit the New York-New Jersey area on a Sunday.

The advisory was issued by the Securities and Exchange Commission Office of Compliance Inspections and Examinations, the Commodity Futures Trading Commission Division of Swap Dealer and Intermediary Oversight and the Financial Industry Regulatory Authority, the securities industry SRO, or self-regulatory organization. The regulators said examining firms with a significant market presence showed the need to review business continuity plans (BRPs) and disaster recovery plans (DRPs), and make them more effective, in several critical areas.

Widespread disruption considerations

In view of the possibility of widespread lack of communications, transportation, electricity, office space, fuel and water, firms should consider having multiple redundant services and how close its vendors are to the potential disaster area. Firms should consider all aspects of remote access, including having enough staff, whether they can work from home or a secondary site, and, if they work at a temporary site, their living arrangements. In case of telecommunications disruptions, firms should also consider alternatives to telecommuting, particularly for key control functions such as compliance, risk management, back office operations and financial and regulatory reporting.

Alternative locations considerations

In considering an alternate site, firms should ask whether they would be immune to potential disruption. For example, Pennsylvania’s Pocono Mountains had electricity during the 2003 blackout because they are on a different power grid than the rest of the northeast, and local authorities proposed building a back-office and residential park – “Wall Street West” – with fiber-optic links to the real one.

Firms should not neglect critical activities such as risk and control functions, and finance, treasury and other key operations and supervisory functions, and should also consider how their staff can commute to, or live at, the alternative sites, and make advance contingent arrangements if possible.

Vendor relationships

Firms can risk-rate vendors providing critical services such as clearance and settlement, banking and finance, trading support, telecommunications and other necessities to be sure they have adequate BCPs of their own, especially if they could be impacted by the challenges facing the firm in a disaster.

Telecommunications services and technology considerations

Telecommunications – including data and mobile – service providers may be subject to the same challenges as other local vendors, so firms should consider their providers’ contingency plans as well as the availability of alternate providers, especially for remote or off-site operations. The regulators urged firms to provide them, as well as customers and trading counterparties, with updated contact information should alternate telephone lines be used.

Communicating with staff, customers and other external third parties

Firms should consider using a central point to contact their staff rather than relying on each business unit to do so, and should update emergency contact lists frequently and as staffers are added or removed. Firms should also consider providing customers and counterparties with this information and ensuring that their website is up-to-date on their operational status and availability during an event.

Introducing firms should consider having their websites list contact information for clearing firms so customers can execute liquidating orders or wire transfers should the firm be inoperable. Firms should also consider teaming with multiple broker-dealers to facilitate alternative market entry points.

Firms should also implement a plan to allow better communications and coordination with regulators, exchanges, emergency officials and other firms to reduce the likelihood of inconsistent communications, and are encouraged to participate in industry groups and task forces to strengthen their resilience.

Regulatory and compliance considerations

Firms should regularly update their BCPs to include new regulatory and SRO requirements, such as 2012 requirements by the Chicago Mercantile Exchange and the National Futures Association, that industry’s SRO, for daily reporting of financial data, and should consider time-sensitive regulatory requirements.

Review and testing

Firms should consider conducting full BCP tests and participating in industry efforts such as SIFMA’s at least annually, and more frequently if changes are made. The tests should evaluate whether all operations, including trade processing, can be performed regardless of staff location, and the firms’ BCPs should reflect the testing results.

Firms should also consider conducting annual or more frequent training to familiarize the staff with the BCP and their critical pre-established roles, and should consider incorporating stress tests into their BCPs to better prepare themselves, for example, to adjust liquidity or excess reserves before an event.

NFA separately offered guidance on considerations in developing BCP and DRP programs, and urged futures firms to review a rule and interpretive notice in doing so.

(This article was produced by the Compliance Complete service of Thomson Reuters Accelus. Compliance Complete provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 400 regulators and exchanges. Follow Accelus compliance news on Twitter: @GRC_Accelus)