Brokerages and other financial services firms are facing
increased pressure from the US government and regulators within the
industry to define and test their IT disaster recovery
plans.
They are also being being pushed to consider moving their backup
data centres further away from their primary computing
facilities.
Steve Randich, chief information officer at Nasdaq Stock Market,
said that a combination of "peer pressure and regulatory pressure"
is prodding companies to ensure that their systems will keep
running if a disaster occurs.
Last month, US Securities and Exchange Commission approved rules
proposed by the National Association of Securities Dealers and the
New York Stock Exchange that require firms to submit business
continuity plans detailing how they will provide access to systems
during an emergency.
The plans are due by 5 August for NYSE members. The NASD set
deadlines of 11 August for firms that clear stock trades and 10
September for brokerages that initiate transactions.
Next week, the Securities Industry Association will conduct a
business continuity tabletop exercise in conjunction with the Bond
Market Association. The SIA said government regulators will be
present at the event, in which participants will walk through the
process of responding to an emergency and co-ordinate their
disaster recovery plans.
Nasdaq said that it had run tests at its two data centres two
weeks ago to check the disaster recovery capabilities of member
companies. The tests involved more than 50 brokerages and were
conducted at the exchange's primary data centre in Connecticut in
February and at its backup facility in Maryland last month.
"It's not that the regulators are mandating to see test results,
although internal and external auditors and the SEC have collected
records on the outcome of our tests," Randich said. "It's just
short of a mandate, but that's enough to encourage people to ensure
this all works seamlessly."
Randich said there was no system downtime at Nasdaq or the
participating firms during the tests. "What we didn't know for
certain was our market participants' ability to run [transactions]
out of their backup sites," he said. "This was the first time
outside of a disaster scenario where we were able to validate that
their operations were good."
Peter Poulos, director and head of the business continuity group
for the Americas at Credit Suisse First Boston, said he thinks
"every major securities firm on the Street" is facing the challenge
of showing that its disaster recovery strategies are in order.
Poulos, who is also chairman of the SIA's Business Continuity
Planning Committee, said Credit Suisse's systems worked smoothly
during Nasdaq's tests, although he admitted that its disaster
recovery plan still has some kinks that need to be worked out. He
would not disclose further details but noted that more pressure is
being put on firms to increase the resiliency of their systems
beyond the capabilities they have already built.
Large financial services firms also face an April 2006 deadline
for meeting new federal guidelines on increased resiliency for
trade clearance and settlement activities. The SEC, the Federal
Reserve Board and the US Treasury Department's Office of the
Comptroller of the Currency set the guidelines in a white paper
last spring.
Complying with the guidelines "means having people in place at
another location that's not in a commutable distance to the primary
site", Poulos said. Many firms may move their backup data centres
to other parts of the New York metropolitan area or to more remote
locations, he added.
Howard Sprow, director of business continuity planning at the
SIA, said the new rules should not have a big impact on large firms
that have been improving their disaster recovery architectures
since the 11 September 2001 terrorist attacks. The NASD and NYSE
are simply looking to "formalise the process", he added.
"All the firms have robust backup sites that are some distance
from their primary sites," Sprow noted. "But they are looking at
ways to add additional sites or to increase the separation."
Lucas Mearian writes for
Computerworld