Business Continuity Challenges for Financial Institutions

By Tom Schmidt

Earlier this year, the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security (or FSSCC), a network representing thousands of financial organizations, issued a report identifying the initiatives its members view as the most critical for 2005. Among the top initiatives:

• Implementation of a structured and coordinated approach to testing sector resilience and the efficacy of sector business continuity practices.
• Continued promotion of appropriate industry standards and guidelines for business continuity and resilience.

The report by the FSSCC, which was formed in the aftermath of September 11, makes one thing perfectly clear: financial institutions today face more intense pressure than ever before to ensure their mission-critical applications and data are constantly available. This article will look at some of the steps taken by the financial services sector to identify and reduce physical and cyberspace vulnerabilities, and to improve the overall efficacy of its business continuity practices.

An interdependent world

The events of September 11 underscored the fact that the financial services sector operates as a network of interrelated markets and participants. Two years ago, the U.S. Securities and Exchange Commission observed, "because of the interdependent nature of the U.S. financial markets, all financial firms have a role in improving the overall resilience of the financial system. It therefore is appropriate for all financial firms to review their business continuity plans and incorporate ... three broad business continuity objectives to the fullest extent practicable." Those objectives were:

• Rapid recovery and timely resumption of critical operations following a wide-scale disruption;
• Rapid recovery and timely resumption of critical operations following the loss or inaccessibility of staff in at least one major operating location;
• A high level of confidence, through ongoing use or robust testing, that critical internal and external continuity arrangements are effective and compatible.

Success stories

So how has the financial services sector fared thus far in meeting these challenges to improve its infrastructure resilience and business continuity practices?

In its annual report, released earlier this year, the FSSCC cited the following progress:

• Identifying vulnerabilities  FSSCC member trade associations are helping other members identify and address vulnerabilities in their information technology infrastructures. For example, BITS, the technology arm of the Financial Services Roundtable, has published several documents outlining industry-identified "best practices" to address these issues: the "BITS Kalculator: Key Risk Management Tool for Information Security Operational Risks," a report on "Best Practices in Patch Management for the IT Practitioner," and the "BITS IT Service Providers Expectations Matrix," among others.
• Business continuity mandates  A number of organizations promulgated business continuity requirements for their members (e.g. New York Stock Exchange Rule 446, National Association of Securities Dealers Rules 3510 and 3520). These rules require firms to maintain a current list of emergency contacts with the New York Stock Exchange and National Association of Securities Dealers, and also address how firms should provide customers with prompt access to their securities and funds in the event of an incident. In addition, they require firms to address critical business constituents in their continuity plans.
• Increased business continuity testing  The Futures Industry Association (FIA) coordinated the first industry-wide test for the futures industry, while the Securities Industry Association (SIA) managed ongoing tests between securities industry participants.
• Telecommunications resiliency  Steps were taken to improve the resiliency of the sector's telecommunications capabilities through dissemination of "best practices" information by BITS and other groups.
• Sharing critical information  Examples include the SIA's emergency command center in New York City; the ChicagoFIRST organization's formal interactions with city and state officials; and the FIA's central repository of critical contact information for participants in the futures industry that can be used in an emergency to support crisis management.

Conclusion

Recently, we have seen how catastrophic events such as Hurricane Katrina and the London terrorist attacks can disrupt the flow of business on a major scale. And as financial institutions know, anything that disrupts processing transactions and serving customers for even a few minutes can spell disaster.

Firms that are behind the planning curve may face increasingly severe penalties in this very visible area, both for any excess costs to plan and prepare as well as for any failure to plan and prepare adequately.

Compliance mandates, risk requirements, and market forces have heightened the awareness and importance of business continuity planning in the financial services industry. Strategic decisions to maintain or increase the level of protection while lowering or maintaining the total cost of business continuity programs are fast becoming a source of competitive advantage for firms.

Tom Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.