In response, federal regulators recently issued an advisory aimed at strengthening business continuity plans (BCPs).
The joint guidance, issued by the Securities and Exchange Commission (SEC), the Commodity Futures Trading Commission (CFTC), and the Financial Industry Regulatory Authority (FINRA), encourages firms to review their BCPs with a particular focus on improving responses to significant large-scale events. It lists specific best practices and lessons learned from the regulators’ reviews of the events surrounding Superstorm Sandy
The advisory suggests effective practices in the following areas:
Preparation for widespread disruption: BCPs should address the potential widespread lack of telecommunications, transportation, electricity, office space, fuel and water. Firms should also determine what steps can be taken to ensure adequate staffing during a crisis event, including how to best facilitate working remotely.
Planning for alternative locations: When considering alternative locations (i.e., back-up data centers, back-up sites for operations, remote locations, etc.), firms should try to achieve geographic diversity. This will help ensure the continuity of operations during a region-wide event.
Telecommunications services and technology: BCPs should address how to keep technology and telecommunications systems up and running. Options include using multiple providers, secondary phone lines, cloud technology, temporary phone lines, mobile telecom units and Wi-Fi for staff without power, as well as back-up mobile phone services with different carriers.
Communication plans: Firms should have plans in place to maintain communications with customers, staff and third parties, such as vendors and regulators. This includes keeping the firm’s website updated during an emergency situation with important information regarding operational status and general contact information. Firms should also have procedures in place to keep staff informed and stay in touch with critical members.
Regulatory and compliance considerations: Firms should be cognizant of time-sensitive regulatory requirements, since a disaster can strike at any time. Firms should also regularly review their BCPs to ensure continuing regulatory compliance.
Reviewing and testing: Firms should conduct annual business continuity training, participate in industry testing, and perform their own BCP stress tests.
If you have any questions about the advisory or would like to discuss your company’s business continuity plan, please contact me, Dennis Linken, or the Scarinci Hollenbeck attorney with whom you work.