View Whole SectionText only Print Print Manager Link
Previous Next

06-74 Member Business Continuity Experiences regarding Hurricanes Katrina and Rita

View PDF File

GUIDANCE

Business Continuity Planning

SUGGESTED ROUTING

KEY TOPICS

Executive Representatives
Information Technology
Legal & Compliance
Operations
Senior Management
Training
Business Continuity Planning
Rule 3500 Series (Emergency
Preparedness)

Executive Summary

In May 2004, NASD issued Notice to Members 04-37 regarding business continuity planning. That Notice addressed NASD Rules 3510 and 3520 and provided supplemental detail regarding the key elements of a business continuity plan (BCP).

Following Hurricanes Katrina and Rita in August and September 2005, NASD issued a voluntary survey on the topic of business continuity planning to certain member firms within the affected areas. The objective of the survey was to assess the value of business continuity planning and to learn from these firms' experiences. Overall, the survey helped provide valuable insight into business continuity planning and the implementation of such plans in the wake of a disaster. Firm responses also provide guidance to all member firms about specific business functions and tools that performed well following these events, as well as those that did not. The information in this Notice does not create new rules or obligations on members, nor does the implementation of any or all of the guidance create a "safe harbor" relative to any NASD rules.

Questions/Further Information

Questions concerning this Notice may be directed to Daniel M. Sibears, Executive Vice President & Deputy, Member Regulation, at (202) 728-8221.

Background

Implementation of NASD Rules 3510 and 3520 Addressing BCPs and Emergency Contact Information

In the days and weeks following September 11, 2001, the securities markets and industry showed an impressive ability to recover and continue business. To learn from the events of this period, NASD surveyed randomly selected members to gauge the industry's recovery capabilities in greater detail to determine, among other things, whether any regulatory action was needed to assure swift recovery in the event of any future significant business disruptions.

The survey yielded valuable results. It showed that a significant number of NASD member firms did not have BCPs in place at the time, or had plans that did not provide coverage in certain areas, such as document back-up and customer access to accounts during an emergency. As a result, NASD determined that member firms would benefit from the implementation of a BCP that contained, at a minimum, the following ten key components:

(i) Data back-up and recovery;
(ii) All mission-critical systems;
(iii) Financial and operational assessments;
(iv) Alternate communications between the member and its customers;
(v) Alternate communications between the member and its employees;
(vi) Alternate physical location of employees;
(vii) Critical business constituent, bank and counter-party impact;
(viii) Regulatory reporting;
(ix) Communications with regulators; and
(x) Assurance of customers' prompt access to their funds and securities in the event that the member determines that it is unable to continue its business.

These key components, along with industry feedback, were used to develop the new Rule 3500 Series (Emergency Preparedness) that requires members to establish emergency preparedness plans and procedures. The Securities and Exchange Commission (SEC) approved the rule series on April 7, 2004.1 NASD issued Notice to Members 04-37 in May 2004 to provide guidance to members regarding the implementation of the rules.

Rule 3510 (Business Continuity Plans) requires each member to create and maintain a written BCP identifying procedures relating to an emergency or significant business disruption that are "reasonably designed to enable the member to meet its existing obligations to customers" and enumerates certain requirements that each plan must address.2 Rule 3510 further requires each member to update its plan upon any material change in operations, structure, business or location and, at a minimum, to conduct an annual review of its plan.3 Each member also must disclose to its customers how its BCP addresses the possibility of a future significant business disruption and how the member plans to respond to events of varying scope.4

Rule 3520 (Emergency Contact Information) requires each member to report to NASD prescribed emergency contact information for the member and update that information in the event of any material change.5 This is done electronically through NASD's Contact System (NCS).

Learning from Hurricanes Katrina and Rita

Following Hurricanes Katrina and Rita in 2005, NASD conducted a survey ("Katrina Survey" or "survey") of the business continuity planning of certain member firms impacted by these events. The objective of this voluntary survey was to assess the value of business continuity planning and to learn from these firms' experiences. The selected members included local, regional and national firms operating in affected areas of Louisiana, Mississippi and Alabama at the time of the hurricanes.

The Katrina Survey contained questions regarding the performance of firms' BCPs before, during and after Hurricanes Katrina and Rita. For various plan aspects, the survey asked firms to rank the performance of their BCPs and to provide feedback on their experiences. Overall, the Katrina Survey helped provide insight into business continuity planning that was effective and ineffective during these events. Firm responses also provided guidance about specific business functions and tools that performed successfully, as well as those that did not. In this regard, the results offered in this Notice are provided as guidance to members to use as they deem appropriate. The information does not create new rules or obligations on members, nor does the implementation of any or all of the guidance create a "safe harbor" relative to any NASD rules.

Discussion

Input from firms that found their business continuity planning effective during Hurricanes Katrina and Rita:

•   Some firms had pre-established and pre-tested recovery sites, systems and servers in place prior to the hurricanes. These back-up resources were activated by designated staff in advance of storm arrival and allowed for seamless transition of operations from the impacted offices to the back-up facilities. Additionally, persons at recovery sites were specifically empowered to act on behalf of the firm.
•  Some medium and larger firms represented that they benefited from having fully functional branch offices outside of the affected area. The branch offices served in some cases as the back-up center of operations as well as the relocation site for evacuated staff members. Telephones were forwarded to the branch office or recovery site in advance of storm arrival.
•   Some firms established nationwide toll-free numbers and Web site information specifically for business continuity purposes. This contact information was disseminated to customers (via such means as customer account statements) and employees well in advance of a disruptive event. Customers and employees were also encouraged to access the firm Web site for updates.
•  Some smaller firms noted the importance of cross-training employees to perform necessary functions. Employees experienced logistical difficulties, inconsistent access to firm systems and customers, and unavailability of relevant staff at particular locations. Cross-training allowed those employees with access to firm systems the ability to cover the responsibilities of, and handle customer contacts for, their impacted colleagues.
•  Medium and smaller firms stated that their respective clearing firms were instrumental in assisting with continuity of operations during these events. It was reported that clearing firms performed consistently well by providing access to customer funds and securities.

Input from firms that found their business continuity planning was not effective enough to compensate for the effects of Hurricanes Katrina and Rita:

•  Some firms noted the challenge of identifying and verifying customers following the hurricanes. These firms noted that they had underdeveloped customer identification procedures to address such circumstances.
•  Some small, medium and large firms experienced problems at their respective back-up/recovery sites due to untested servers, untested systems, inadequate access to systems or inadequate capacity.
•  Small firms with the fewest resources available to them had no alternate or recovery site in place at the time of the hurricanes.
•   Firms that relied heavily on paper records experienced the loss of irreplaceable documents and critical business information.
•   Some firms determined that portions of their BCPs were incomplete or out-ofdate. Some plans, for example, did not provide clearing firm contact information or contained out-of-date employee or customer contact information.

The survey also sought to learn specific lessons based on the experiences of member firms during Hurricanes Katrina and Rita. Members responding to the survey provided suggestions, feedback and advice borne from these experiences.

What some firms found helpful during the events of Hurricanes Katrina and Rita:

•  Across the board, firms surveyed noted that text messaging proved surprisingly reliable as compared to use of cell phones or land lines. In some cases, text messaging was the only reliable way to communicate with colleagues for a period of weeks.
•  Some firms recommended shipping in cell phones that have area codes outside the impacted regions, as they proved more reliable than cell phones with local area codes during and after the storms. Others found that having pre-loaded laptops with wireless cards or laptops shipped in by a parent company or clearing firm provided significant assistance in re-establishing and/or maintaining continuity of operations.
•  Medium and small firms expressed the importance of maintaining a relationship with a "sister" broker-dealer where they could recover, as well as implementing a "buddy" system among firm employees to assist in locating one another.
•  One firm recommended gathering additional information from customers, including contact numbers of relatives who could contact the customer. This information would be gathered on a voluntary basis in advance of an event. This additional information would assist a firm in communicating with displaced customers.
•  Having a Web site with screens for check-in, updates and postings for employees aided communication and coordination. In addition, firms recommended establishing a toll-free number for employees to check-in or "meet" by telephone.
•  Periodically repeating employee training to aid in memory recall of emergency plans during such an event and to keep procedures and protocols fresh in employees' minds.
•  Having a checklist of steps to follow and documents to move during evacuation of a site.
•  Understanding how to remove hard drives from desktop computers so that valuable information could be preserved even though hardware was lost.
•  Ensuring a clear understanding between clearing and correspondent firms as to the actions triggered by emergency circumstances and the time frames for the commencement and termination of the emergency procedures.

What some firms found least useful/helpful during Hurricanes Katrina and Rita:

•  Firms found that land line telephones within the impacted regions, as well as cell phones with area codes of the impacted regions, were not reliable. Also, firms that intended to rely on call forwarding through local switching stations found that switching stations impacted by flooding could not re-route telephones. These firms suffered from the inability to contact, or be contacted by, customers and employees.
•  When the hurricanes hit, some firms were relying on a local electronic mail (email) provider rather than a national email provider. The local provider was also impacted during the storms and service was disrupted. In addition, servers located within impacted regions were disabled and unable to be serviced.
•   Firms noted two items that posed significant employee-related challenges during and after Hurricanes Katrina and Rita: (1) Employees refusing to leave the impacted region and (2) long-term office space and employee housing in alternate locations/recovery sites that were not secured in advance of, or immediately following, the disasters.

Firm Feedback regarding NASD's BCP Tool, Templates and Related Resources:

Member firms were asked in the Katrina Survey to assess NASD's post-disaster response as well as to rate NASD's BCP guidance. The overall response was positive with firms saying NASD was "flexible," "accommodating" and "realistic." Firms stated they found NASD's BCP guidance to be satisfactory.

Resources Available through NASD

NASD continues to provide multiple BCP tools, templates and related resources on its Web site,
www.nasd.com/RulesRegulation/IssueCenter/BusinessContinuityPlanning/index.htm.

These online resources include:

•   BCP Frequently Asked Questions (FAQ).
•  BCP Repository Service.
•  The BCP Repository Service is powered by EVault and offered in association with NASD to provide members, for a fee, the following:
—   Remote access: upload, download and modify documents from anywhere with an Internet connection;
—   Collaboration: smooth document collaboration across authorized users;
—   Security: over-the-wire encryption of all uploaded and downloaded documents; and
—   Varied authorization levels: different access controls may be granted to individual users in the same account.
•  An example of a BCP disclosure statement for introducing firms with a clearing firm arrangement.
•  NASD Small Firm BCP Template as an optional guide to small introducing firms to assist them in creating and maintaining BCPs and emergency contact person lists under NASD Rules 3510 and 3520. The template recognizes that many small introducing firms rely on parts of a clearing firm's BCP for many of the missioncritical functions of the introducing firm. The template also contains instructions, relevant rules and Web sites, and other resources that are useful for developing a BCP for a small introducing firm.
•  A BCP planning case study.

Common Findings from NASD Examinations

Members have generally been in compliance with the requirements of NASD Rules 3510 and 3520 since implementation in 2004. Many have used the NASD Small Firm Business Continuity Plan Template to develop plans. Nonetheless, there have been areas of concern related to business continuity uncovered during NASD examinations that include:

(i) Consistency of addressing all of the BCP Requirements. Findings include members not adequately addressing one or more of the following key components of an effective BCP:
•   Impact of disruption upon critical business constituents.
•   Regulatory reporting and communications with regulators.
•   Providing customers with prompt access to funds and securities in the event that the firm is unable to continue its business.
•   Disclosure statement that addresses the possibility of a future business disruption and how the firm plans to respond to events of varying scope.
•  Updating and annually reviewing BCPs, and senior management approval of BCPs.
•  Data back-up and recovery during an emergency or significant business disruption.
(ii) Firm Identification of Emergency Contact Persons on NCS. Various NASD exams reviewing BCP compliance found that firms had not filed their designated two emergency contact person information on NCS as required by Rule 3520.

Summary of Survey Results

Based on the Katrina Survey results, firms found they were impacted in different ways by Hurricanes Katrina and Rita. Their experiences varied depending on the firm's size and preparedness. Smaller firms with fewer relative resources faced the most severe impacts. Some of these small firms benefited from strong relationships with their respective clearing firms, which in turn were able to take calls and handle customer needs during the emergency. Medium-size and larger firms had additional staff and resources to absorb the storms' impacts, including established and fully functional alternate business locations outside of the directly impacted areas.

Regardless of a firm's size or impact proximity, firms with well-tested BCPs found they faced minimal disruption. For example, firms of various sizes and resources operating inside the city of New Orleans that had thoroughly developed and tested their plans encountered fewer disruptions than less prepared firms operating outside of directly impacted areas. In this regard, the results of the survey captured in this Notice may assist members in better preparing for emergencies or significant business disruption caused by events such as fire, flood, wind and earthquake, a disruption involving power or property, or an unknown variable. Preparation and practice, as evidenced by the results of the Katrina Survey, will support a firm's ability to address the needs of all constituents during a time of crisis.


1 See Securities Exchange Act Release No. 49537 (Apr. 7, 2004), 69 Fed. Reg. 19586 (Apr. 13, 2004) (SEC Notice of Order Approving File No. SR-NASD-2002-108).

2 Rule 3510(a) and (c).

3 Rule 3510(b). Each member must designate a member of senior management who is also a registered principal to approve the plan and be responsible for conducting the required annual review. Rule 3510(d).

4 Rule 3510(e).

5 In addition, each member must review and, if necessary, update the member's emergency contact information within 17 business days after the end of each calendar quarter. See Rule 3520(b).


Previous Next