With this year's hurricane season underway, and memories of last year's Superstorm Sandy painfully fresh, regulators are prodding public companies, particularly those in the financial sector, to reconsider their business continuity and disaster recovery plans.

New guidance was jointly released by the Securities and Exchange Commission, Commodity Futures Trading Commission, and the Financial Industry Regulatory Authority last week. The advisory follows their joint review of the aftermath of Hurricane Sandy, which caused widespread damage to Northeastern states and closed U.S. equity and options markets for two days in October 2012.

The CFTC's Division of Swap Dealer and Intermediary Oversight, the SEC's Office of Compliance Inspections and Examinations, and FINRA issued the advisory to encourage firms to review their business continuity plans so as to improve responses to and reduce recovery time after significant large-scale events.

“We are sharing these lessons learned from Superstorm Sandy to help industry participants better prepare for future events that threaten to disrupt market operations,” said OCIE Director Andrew Bowden in a statement.

Among the topics covered by the advisory: preparation for widespread disruption, planning for alternative locations, telecommunications services and technology, communication plans, regulatory and compliance considerations, and reviewing and testing.

Compliance Considerations

Firms should consider time-sensitive regulatory requirements, since a crisis can occur at any time, the agencies advise. For example, some firms put a lower prioritization on month-end financial processes, which proved problematic when Sandy hit at the end of that October. This caused delays in the production of month-end data for regulatory and financial reporting.

Businesses should regularly update business continuity plans (BCPs) to include new regulatory and self-regulatory requirements, or they run the risk of non-compliance. For example, the Chicago Mercantile Exchange and National Futures Association enacted new requirements for the daily reporting of financial data in 2012. “However, this new requirement may not have been included in some firms' BCP processes and may not have been properly prioritized,” the advisory says.

Companies don't only need to get their own disaster planning in order, but should ensure that their mission-critical suppliers are also up to par. The guidance advices companies to examine whether vendors that provide services such as clearance and settlement, banking and finance, trading support, fuel, telecommunications, electricity, and other utilities also have adequate BCPs. They should consider categorizing vendors (low-risk, high-risk, etc.), the guidance suggests, and they should consider contracting with multiple providers to build in redundancy.

Consider incorporating stress tests into BCPs, the agencies say. For example, firms could perform a stress test on their liquidity position and review the level of excess customer reserves. Based on this analysis, they may be better prepared to adjust liquidity or excess reserves (the ability to liquidate money market funds, or meet margin calls in a potentially volatile market, for example) prior to an event.

Ensuring Stability

The SEC is also poised to finalize Regulation SCI, a slate of technology-related initiatives intended to ensure financial market stability and minimize disruptions. It covers both technology malfunctions, like “flash crashes,” as well as natural disasters.

Regulation SCI (the acronym for stands for “systems, compliance, and integrity”), which just emerged from its public comment process, would require “entities essential to the smooth functioning of the U.S. securities markets,” including exchanges and clearinghouses, to have comprehensive policies and procedures in place to maintain and secure their technology. It would require that systems have adequate capacity, integrity, resiliency, availability, and security.

Covered entities must designate individuals or firms to test business continuity and disaster recovery plans at least once a year and coordinate testing with other entities on an industry- or sector-wide basis.

Logistical Considerations

Suggestions and best practices cited by regulators in the new advisory include:

Remote access is an important component of business continuity plans (BCPs). Firms should consider their employees' ability to work from home during a crisis. They should consider enhancing the capabilities of staff that work from home by identifying technology and communications products that could increase efficiency.

Since the use of remote access relies heavily on fully functional telephone and internet service, firms should consider alternatives to telework in their BCPs, particularly for key control functions such as compliance, risk management, back-office operations, and financial and regulatory reporting.

When considering alternative locations (back-up data centers, remote locations) consider the hazards of a region-wide disruption. Use geographic diversity when determining the physical location of alternative sites and consider whether their primary site and alternative sites rely on the same critical utility services, such as electricity, transportation, and telecommunications.

Evaluate the appropriate number of staff necessary at any alternative site to perform critical activities, including risk functions, control functions, finance, and treasury activities. Ensure that adequate space is available.

Consider keeping BCPs, contact lists, and other necessary documents, procedures and manuals at the alternative site, ideally in paper form in the event that electronic files cannot be accessed.

Adopt more diverse methods of communication with employees including allowing staff, particularly critical staff, to carry multiple communications devices on multiple carriers.

Firms should plan on conducting full BCP tests and participating in industry testing, at least annually. They are also advised to consider annual or more frequent training on their BCPs to familiarize all personnel with the plan and their critical pre-established roles.

‘More Pragmatic' Plans

A survey released earlier this month by PwC looked at how business continuity management (BCM) plans are evolving.

More companies are integrating BCM into their enterprise risk management program, “versus seeing it as an insurance exercise or IT responsibility,” says Phil Samson, a principal in PwC's Risk Assurance practice and its business Continuity management service leader.

The majority of respondents agreed that their BCM plans have become more pragmatic in recent years. Companies no longer have to “grasp for new ways to structure their BCM programs to get leadership buy-in,” Samson says. Illustrating the enterprise-wide negative impacts of likely interruptions is proving to be effective.

“In the past, companies built a structured script and walked through a specific scenario, but now they are realizing that real life crisis events don't happen that way.”

—Phil Samson,

Principal, Risk Assurance Practice

PwC

“In the past, companies built a structured script and walked through a specific scenario, but now they are realizing that real-life crisis events don't happen that way,” Samson says. “They are now looking at how to make crisis management plans much more flexible and capable of handling longer-lasting crisis events.”

Many respondents noted that “vendor resiliency” is now integrated into BCM, with 64 percent involving one or more third parties in their programs. While about half of the respondents either do not manage or assess vendor resiliency, 44 percent of companies said they are attempting to manage vendor resiliency within a centralized function.

Dealing with third parties can be especially tricky “No matter what industry you are in. If you rely on third parties you have to know who they are,” says Robert Weiner, managing director and regional counsel for IPSA International. “You can't have your head buried in the sand anymore.”

COMMUNICATION PLANS

The following is from guidance on business continuity and communications with customers and external third parties that has been jointly issued by the Securities and Exchange Commission, Commodity Futures Trading Commission, and Financial Industry Regulatory Authority.

Firms should consider a plan for providing customers and trading counterparties with contact information so that business can continue. Firms should consider taking measures to ensure that their website is kept up-to-date with information about the firm's operational status and general contact information during a disruption event. Introducing firms should consider publishing contact information for clearing firms on their websites to enable customers to execute liquidating orders or wire transfers through their clearing firms should the firm be inoperable. Clearing firms are encouraged to be in a position to authenticate the validity of customer requests.

Firms should consider whether to establish relationships with multiple broker-dealers to facilitate alternative market entry points.

Firms should consider implementing a communication plan that allows firms to better communicate and coordinate with regulators, exchanges, emergency officials and other firms. Such coordination should reduce the likelihood of inconsistent communications. Firms are encouraged to participate in industry groups and task forces that may assist firms in strengthening their communication plans.

Source: CFTC.

Weiner's advice for establishing a company BCP is to investigate what continuity programs are also put in place by the external vendors and contractors you may need to rely on during an incident, especially if one hosts sensitive data on your behalf.

“What due diligence did you do to see what their support structure is?” he asks. “Have you tested it? Have you audited it? You can't contract away your affirmative responsibilities. Having a business continuity plan that doesn't take those risk factors seriously isn't bona fide.”

Companies should also take a customized approach to due diligence, says Weiner, one that takes into account the role a vendor serves, rather than a check-the-box exercise. Otherwise, a company might run afoul of regulator, violating, for example, the Foreign Corrupt Practices Act's demand for accurate books, records, and internal controls.

Role of Social Media

Most companies are not leveraging social media as a crisis management resource, the PwC survey found.

Those that are integrating social media into their crisis management efforts—with Facebook and Twitter cited most often—are not all seeing an improvement in their capabilities. Only 8 percent said that social media has enabled them to proactively identify and respond to crisis events.

Samson's advice is to first look through a company's crisis communication plan for ways to use social media as an effective communication channel to employees, key third parties, customers, and stakeholders. Then, look at the more likely crisis and risk scenarios and determine if social media could be used to facilitate crisis identification, internal and external communications, and recovery coordination efforts.