Business Continuity Planning
Business Continuity Planning
Referenced Rules & Notices
FINRA Rule 4370
Following Hurricane Sandy, which caused widespread damage on the northeast coast of the United States in October 2012, FINRA, the Securities and Exchange Commission's (SEC) Office of Compliance Inspections and Examinations and the Commodity Futures Trading Commission's (CFTC) Division of Swap Dealers and Intermediary Oversight jointly reviewed firms' business continuity and disaster recovery planning. FINRA, the SEC and CFTC are issuing the attached Business Continuity Planning advisory to encourage firms to review their business continuity plans and to provide best practices to help improve responses to, and to reduce recovery time after, significant large-scale events.
Questions concerning this Notice may be directed to your firm's Regulatory Coordinator.
Business Continuity Planning
Hurricane Sandy caused significant and wide-ranging damage across the northeast coast of the United States on October 28 and October 29, 2012, which led to the closure of the equities and options markets on October 29 and October 30, 2012. These events prompted the Securities and Exchange Commission's Office of Compliance Inspections and Examinations ("SEC"), the Financial Industry Regulatory Authority ("FINRA"), and the Commodity Futures Trading Commission's Division of Swap Dealers and Intermediary Oversight ("CFTC") to jointly review the business continuity and disaster recovery planning of firms.
The SEC, FINRA and CFTC contacted firms with a significant market presence to gain an understanding of how the firms were impacted by the events surrounding Hurricane Sandy; specific emphasis was given to firms' implementation of their business continuity plans ("BCPs") and disaster recovery procedures. The SEC, FINRA and CFTC communicated with several firms regarding the impact of Hurricane Sandy on trading, customer relations, financial and regulatory obligations, and technology, among other topics. As a result, the SEC, FINRA and CFTC compiled the following best practices and lessons learned.
The regulators encourage firms to review their business continuity plans and consider implementing these best practices and lessons learned as appropriate to help improve responses to, and to reduce recovery time after, significant large scale events.
Widespread Disruption Considerations
• Firms should consider the possibility of widespread lack of telecommunications, transportation, electricity, office space, fuel and water in their BCPs. Consideration should be given to multiple, redundant services and the proximity of vendors to the potential disaster area.
• Remote access is an important component of business continuity planning. Firms should consider their employees' ability to work from home during a crisis and determine what steps can be taken to ensure adequate staffing during a crisis event. Firms should also consider enhancing the capabilities of staff that work from home by identifying technology and communications products and services that could increase efficiency. Since the use of remote access relies heavily on fully functional telephone and internet service, firms should consider alternatives to telework in their BCPs, particularly for key control functions such as compliance, risk management, back office operations and financial and regulatory reporting.
Alternative Locations Considerations
• When considering alternative locations (i.e., back-up data centers, back-up sites for operations, remote locations, etc.) firms should consider the implications of a region wide disruption. Firms are encouraged to consider geographic diversity when determining the physical location of alternative sites. An alternative site, particularly a system back-up location, in close proximity to the primary site may not sufficiently protect the firm from the effects of a region wide event. Firms should consider whether their primary site and alternative sites rely on the same critical utility services, such as electricity, transportation and telecommunications.
• Firms should consider the accessibility of alternative sites and the ability of staff to travel to the site in the event of a transit shutdown or closure of major roadways. Consideration should be given to staff ability to travel to remote locations, the methods of transportation to move staff to the site and living and lodging expenses related to relocating staff. Firms should further consider establishing pre-arranged contracts with shuttle service providers to facilitate the staffs transport to the work location. Also, familiarizing staff of the transportation alternatives prior to a contingency event may facilitate the process and help ensure that the transportation alternatives are efficiently used.
• Firms should consider the appropriate number of staff necessary at any alternative site to perform critical activities, including risk functions, control functions, finance and treasury activities, and ensure that adequate space is available. Firms should also consider including designations of key operations and supervisory staff to oversee activities.
• Firms should consider the generator capacity at the alternative site (i.e., Does it restore partial or full power?) and whether appropriate capacity is allocated to critical users, activities and systems in advance. Firms are also encouraged to explore the expansion of surplus generator capacity and fuel prior to a contingency event to support expanded business functionality.
• Firms should consider whether their alternate location site has adequate resources. Firms are encouraged to consider whether the site has sufficient staff workspace (e.g., desks, chairs, telephones, etc.), equipment (e.g., computers, printers, network connectivity, etc.) and supplies (e.g., paper, toner, etc.) to accommodate the staff and to carry on operations. In addition, firms should consider keeping their BCPs, contact lists and other necessary documents, procedures and manuals at the alternative site, ideally in paper form in the event that electronic files cannot be accessed.
• Firms should consider making pre-arrangements for reserving space at remote locations such as hotels or other office space and contemplate moving staff to the alternative location in advance of a significant BCP event.
• Firms should consider critical vendor relationships. Firms should consider examining whether vendors that provide critical services such as clearance and settlement, banking and finance, trading support, fuel, telecommunications, electricity and other utilities also have adequate BCPs. Firms should also consider taking into account that many of these providers could be impacted by the same communication, transportation and electricity challenges facing the firm.
• Firms should also consider categorizing vendors (low-risk, high-risk, etc.) and evaluate the risk in BCP plans. Firms should contemplate having pre-arranged contracts in place with multiple fuel suppliers and schedule deliveries in advance of an event.
Telecommunications Services and Technology Considerations
• Reliance on a single telecommunications service provider may lead to significant communications disruptions when that service provider is unable to operate. Firms should consider contracting with multiple telecommunications carriers to provide a failover to a different carrier to maintain fax, voice mail, and landline and VoIP services. Firms should also consider evaluating how a telecommunication provider's contingency plans will affect the firm's ability to operate. Firms should consider using multiple telecommunication providers, secondary phone lines, cloud technology, temporary phone lines, mobile telecom units and Wi-Fi for staff without power, as well as back-up mobile phone services with different carriers. Firms are encouraged to provide customers, trading counterparties and regulators with updated contact information should alternate telephone lines be used.
• Firms should consider multiple alternative staffing scenarios including remote access, staff relocation or staffing at alternative sites. Firms should consider enhancing their telecommunications infrastructure to ensure that staff remains fully functional while working from home during brief and extended periods of time.
Communications with Customers and Other External Third Parties
• Firms should consider a plan for providing customers and trading counterparties with contact information so that business can continue. Firms should consider taking measures to ensure that their website is kept up-to-date with information about the firm's operational status and general contact information during a disruption event. Introducing firms should consider publishing contact information for clearing firms on their websites to enable customers to execute liquidating orders or wire transfers through their clearing firms should the firm be inoperable. Clearing firms are encouraged to be in a position to authenticate the validity of customer requests.
• Firms should consider whether to establish relationships with multiple broker-dealers to facilitate alternative market entry points.
• Firms should consider implementing a communication plan that allows firms to better communicate and coordinate with regulators, exchanges, emergency officials and other firms. Such coordination should reduce the likelihood of inconsistent communications. Firms are encouraged to participate in industry groups and task forces that may assist firms in strengthening their communication plans.
Communications with Staff
• Firms should consider establishing a centralized process for accounting for all staff members rather than relying on each business unit to contact staff individually. Firms should also update emergency contact lists frequently (e.g., as staff members are added or removed) so staff can be contacted with firm updates.
• Firms should consider adopting more diverse methods of communication with employees including allowing staff, particularly critical staff, to carry multiple communications devices on multiple carriers (e.g., multiple mobile phones, softphones and T-1 lines).
Regulatory and Compliance Considerations
• Firms should consider time-sensitive regulatory requirements, since a crisis event can occur at any time. For example, some firms put a lower prioritization on month-end financial processes, which increased challenges due to the storm's proximity to month end, and caused delays in firms' production of certain month end data for regulatory computations and financial reporting.
• Firms should regularly update their BCPs to include new regulatory and SRO requirements. Firms run the risk of failing to comply with new regulatory and SRO requirements when their BCP is not regularly updated. For example, the Chicago Mercantile Exchange and National Futures Association enacted new requirements for the daily reporting of financial data in 2012. It appeared that this new requirement may not have been included in some firms' BCP processes and therefore may not have been properly prioritized.
Review and Testing
• Firms should consider conducting full BCP tests and participating in industry testing, at least annually, but more frequently if changes are made. Firms should consider full staff BCP tests to evaluate whether all day-to-day functions, including trade processing, can be performed regardless of staff location. In addition, firms are encouraged to keep their BCPs up to date and to amend their BCPs to incorporate testing results.
• Regarding business continuity training, firms should consider conducting annual or more frequent training on their BCPs to familiarize all personnel with the plan and their critical pre-established roles.
• In addition, firms should consider incorporating stress tests into their BCPs. For example, firms could perform a stress test on their liquidity position and review the level of excess customer reserves. Based on this analysis, firms may be better prepared to adjust liquidity or excess reserves (e.g., term repos versus overnight, ability to liquidate money market funds, ability to meet margin calls in a potentially volatile market, adding excess segregation reserves) prior to an event.