Sept. 10 marked the last of several SEC-approved deadlines for NASD and New York Stock Exchange members to implement business continuity standards. But the term "deadline" is a bit of an overstatement, as many firms still are rolling out improvements to meet the regulatory requirements.
New York-based Rosenblatt Securities is representative of many financial-services firms. It has a business continuity plan (BCP) in place but still sees room to hone its processes. "There are a lot of manual processes right now," says Ahmed Sako, Rosenblatt's CTO. "Some things that we're doing will make the process a lot more seamless."
BCP consultant Joe Anastasio, founding partner and senior client partner of Capco North America, contends that some financial services firms have become complacent and haven't done enough to remedy vulnerabilities. "Since Sept. 11, we haven't had a single incident, and one of the things that I think has occurred is this 'lightning doesn't strike twice' [mentality]," he says.
To create a sense of urgency, the SEC in April approved rules proposed by NASD and the NYSE that require members to develop BCPs and procedures to deal with an emergency. The rules - specifically, NASD Rule 3500 Series and NYSE Rule 446 on Business Continuity and Contingency Plans - cover 10 key areas, including data backup and recovery, mission critical systems and alternate communications among the firm, its employees and its customers.
A member's BCP must address how the firm will ensure customers prompt access to their funds and securities if the organization can't continue its business. Firms must disclose a summary of their BCPs to their customers and address how they intend to respond to potential disruptions.
Seeking Aid to Make the Grade
At Rosenblatt, Sako says the firm has finished Phase One and is moving toward Phase Two of its BCP. "We have a process right now, but it's cumbersome," he says. Rosenblatt backs up its systems nightly, sending the backup tape off-site. After three months, the tape is erased.
The process eats up a lot of technology resources, Sako says, so the company is working on a plan that requires less manual intervention. "From a pure technology perspective, what we've started to do - rather than build a lot of this functionality in-house - is outsource the bulk of it," he says. The firm plans to work with Walnut Creek, Calif.-based EVault, a data backup and recovery provider, and Boston, Mass.-based Iron Mountain, a records storage and management specialist, to keep information off-site and readily accessible. It's also exploring setting up remote disaster-recovery facilities.
Outsourcing is an appealing option for many smaller and mid-size firms. But Capco's Anastasio cautions that ultimate responsibility for the BCP remains with the firm. " The fact that you've outsourced operations or data center processing to somebody else doesn't abdicate your responsibility," he says.
Clearing firms, such as Pershing, a member of BNY Securities Group and a subsidiary of The Bank of New York, are further along on the disaster-recovery process. In 2002, Pershing enlisted the help of IBM to build an integrated IT environment comprised of IBM servers, storage systems and software. The installation featured a mirrored data center, with near real-time capability .
This May, shortly after the SEC approved the BCP rules, Pershing enhanced the IBM infrastructure and upgraded its enterprise storage servers with 18 new IBM TotalStorage Enterprise Storage Servers. The new technology supports a mirrored data center that automatically copies four to five terabytes daily, with just a nine-second delay.
Establishing a Support Group
Of course, implementing technology is only part of the BCP process. People play a vital role in its success. In April, Pershing created a task force of senior executives from across the organization - compliance, corporate services, operations, technology, marketing, legal, the national customers group and the business continuity group - to review each of the requirements set forth in the rules.
Jane Longendyck, director and quality assurance officer at Pershing, says the task force identified gaps and instituted appropriate processes to comply with the rules. "[NYSE] Rule 446 D requires each member to disclose to its customers how its BCP addresses the possibility of a future significant business disruption and how they plan to respond to events of varying scope," she says. To comply, the company posted its BCP on its Web site, a standard practice that has been adopted by companies including Deutsche Bank, Goldman Sachs and Morgan Stanley. Additionally, Pershing discloses its BCP when a client opens a new account.
Although it wasn't a regulatory requirement, Pershing also developed a plan to support clients of its introducing broker-dealers in the event of a disruption. Now, clients can communicate directly with the clearing firm to access cash and securities in their brokerage accounts. " We've made the plan available to our introducing broker-dealers to provide to their clients," Longendyck says.
Prior to the deadlines, Pershing already had "an awful lot in place," Longendyck says, and only "minor changes" were needed. Going forward, one possible change Longendyck sees on the horizon is requiring a representative from Pershing's business continuity group to sign off on any new technology application "to make sure there is redundancy before the change actually goes into production," she explains.
Clearly, when it comes to BCPs, deadlines aren't the end of a plan's evolution. The most important effect of the rules, says Capco's Anastasio, was to bring business continuity planning to senior management's attention. "It created more of an awareness and focus, and most importantly, a sense of responsibility in the executive management meeting room ... that this is their fiduciary and management responsibility ," he says.
Anastasio divides firms into three distinct business-continuity categories: high risk, moderately prepared and extremely well-prepared. High-risk firms lack the budget to invest in business continuity planning and lack the technology resilience to recover from a single site loss. They have too many people - or too many people with similar skills - concentrated at a single location, and they are prepared only for routine risks, such as a fire or technology outage. "They're not thinking about a chemical attack on the subway, some sort of terrorist attack that makes downtown or midtown non-accessible for three weeks, or the total destruction of an entire building," he says.
Extremely well-prepared firms have embraced best practices such as constant cross-training of staff, routinely rotating key job functions and responsibilities from one location to another, and deploying mobile technology that allows people in, say, London to do jobs normally based in New York.
Regardless of where a firm is on the planning spectrum, every firm is wrestling with what's the right amount to invest in business continuity planning. Says Anastasio: "[Firms] know it's serious. They know they have to do it; they know it costs money; and they're all right now examining how they fit it in to their 2005 budgetary process to make sure they are as resilient as they have to be."