Brokerages and other financial services firms are facing increased pressure from the US government and regulators within the industry to define and test their IT disaster recovery plans.
They are also being being pushed to consider moving their backup data centres further away from their primary computing facilities.
Steve Randich, chief information officer at Nasdaq Stock Market, said that a combination of "peer pressure and regulatory pressure" is prodding companies to ensure that their systems will keep running if a disaster occurs.
Last month, US Securities and Exchange Commission approved rules proposed by the National Association of Securities Dealers and the New York Stock Exchange that require firms to submit business continuity plans detailing how they will provide access to systems during an emergency.
The plans are due by 5 August for NYSE members. The NASD set deadlines of 11 August for firms that clear stock trades and 10 September for brokerages that initiate transactions.
Next week, the Securities Industry Association will conduct a business continuity tabletop exercise in conjunction with the Bond Market Association. The SIA said government regulators will be present at the event, in which participants will walk through the process of responding to an emergency and co-ordinate their disaster recovery plans.
Nasdaq said that it had run tests at its two data centres two weeks ago to check the disaster recovery capabilities of member companies. The tests involved more than 50 brokerages and were conducted at the exchange's primary data centre in Connecticut in February and at its backup facility in Maryland last month.
"It's not that the regulators are mandating to see test results, although internal and external auditors and the SEC have collected records on the outcome of our tests," Randich said. "It's just short of a mandate, but that's enough to encourage people to ensure this all works seamlessly."
Randich said there was no system downtime at Nasdaq or the participating firms during the tests. "What we didn't know for certain was our market participants' ability to run [transactions] out of their backup sites," he said. "This was the first time outside of a disaster scenario where we were able to validate that their operations were good."
Peter Poulos, director and head of the business continuity group for the Americas at Credit Suisse First Boston, said he thinks "every major securities firm on the Street" is facing the challenge of showing that its disaster recovery strategies are in order.
Poulos, who is also chairman of the SIA's Business Continuity Planning Committee, said Credit Suisse's systems worked smoothly during Nasdaq's tests, although he admitted that its disaster recovery plan still has some kinks that need to be worked out. He would not disclose further details but noted that more pressure is being put on firms to increase the resiliency of their systems beyond the capabilities they have already built.
Large financial services firms also face an April 2006 deadline for meeting new federal guidelines on increased resiliency for trade clearance and settlement activities. The SEC, the Federal Reserve Board and the US Treasury Department's Office of the Comptroller of the Currency set the guidelines in a white paper last spring.
Complying with the guidelines "means having people in place at another location that's not in a commutable distance to the primary site", Poulos said. Many firms may move their backup data centres to other parts of the New York metropolitan area or to more remote locations, he added.
Howard Sprow, director of business continuity planning at the SIA, said the new rules should not have a big impact on large firms that have been improving their disaster recovery architectures since the 11 September 2001 terrorist attacks. The NASD and NYSE are simply looking to "formalise the process", he added.
"All the firms have robust backup sites that are some distance from their primary sites," Sprow noted. "But they are looking at ways to add additional sites or to increase the separation."
Lucas Mearian writes for Computerworld