Just in time for hurricane season, the Securities and Exchange Commission, Commodity Futures Trading Commission and Financial Industry Regulatory Authority told firms in an advisory Friday the steps they should take to implement effective business continuity and disaster recovery plans.
The jointly released advisory follows a joint review by the regulators in the aftermath of Hurricane Sandy, which caused widespread damage to Northeastern states and closed U.S. equity and options markets for two days in October.
The SEC, FINRA and CFTC say they contacted firms with a significant market presence to gain an understanding of how the firms were impacted by the events surrounding Hurricane Sandy; specific emphasis was given to business continuity plans and disaster recovery procedures.
The SEC’s Office of Compliance Inspections and Examinations (OCIE), the CFTC’s Division of Swap Dealer and Intermediary Oversight, and FINRA issued the advisory to encourage firms to review their plans so as to improve responses to and reduce recovery time after significant large-scale events.
“Market reliability and resilience are vital to investors and to the fair and efficient operation of capital markets,” said OCIE Director Andrew Bowden, in a statement. “In partnership with our fellow regulators at FINRA and the CFTC, we are sharing these lessons learned from Superstorm Sandy to help industry participants better prepare for future events that threaten to disrupt market operations.”
FINRA Executive Vice President Grace Vogel added in the same statement that “With hurricane season under way, and with the problems from last year fresh in mind, we trust that our member firms will review their business continuity planning procedures against these best practices.”
Among some of the advisory’s suggestions for effective practices include:
- Preparation for widespread disruption. Firms should consider the possibility of widespread lack of telecommunications, transportation, electricity, office space, fuel and water.
- Planning for alternative locations. When considering alternative locations (i.e., backup data centers, backup sites for operations, remote locations, etc.) firms should consider the implications of a region-wide disruption. Firms are encouraged to consider geographic diversity when determining the physical location of alternative sites.
- Telecommunications services and technology. Reliance on a single telecommunications service provider may lead to significant communications disruptions when that service provider is unable to operate. Firms should consider contracting with multiple telecommunications carriers to provide a failover to a different carrier to maintain fax, voice mail, landline and VoIP services. Firms should also consider evaluating how a telecommunication provider’s contingency plans will affect the firm’s ability to operate.
- Communication plans with customers and other external third parties. Firms should consider a plan for providing customers and trading counterparties with contact information so that business can continue.
- Regulatory and compliance considerations. Firms should consider time-sensitive regulatory requirements, since a crisis event can occur at any time, and firms should regularly update their business continuity procedures to include new regulatory and SRO requirements.
- Reviewing and testing. Firms should consider conducting full business continuity procedure tests and participating in industry testing, at least annually, but more frequently if changes are made.
Check out Regulators Renew Focus on Business Continuity, Disaster Recovery Plans by Tom Giachetti on ThinkAdvisor.