Member Business Continuity Experiences regarding Hurricanes Katrina and Rita
GUIDANCE
Business Continuity Planning
SUGGESTED ROUTING |
KEY TOPICS |
Executive Representatives Information Technology Legal & Compliance Operations Senior Management Training |
Business Continuity Planning Rule 3500 Series (Emergency Preparedness) |
Executive Summary
In May 2004, NASD issued Notice to Members 04-37 regarding business continuity planning. That Notice addressed NASD Rules 3510 and 3520 and provided supplemental detail regarding the key elements of a business continuity plan (BCP).
Following Hurricanes Katrina and Rita in August and September 2005, NASD issued a voluntary survey on the topic of business continuity planning to certain member firms within the affected areas. The objective of the survey was to assess the value of business continuity planning and to learn from these firms' experiences. Overall, the survey helped provide valuable insight into business continuity planning and the implementation of such plans in the wake of a disaster. Firm responses also provide guidance to all member firms about specific business functions and tools that performed well following these events, as well as those that did not. The information in this Notice does not create new rules or obligations on members, nor does the implementation of any or all of the guidance create a "safe harbor" relative to any NASD rules.
Questions/Further Information
Questions concerning this Notice may be directed to Daniel M. Sibears, Executive Vice President & Deputy, Member Regulation, at (202) 728-8221.
Background
Implementation of NASD Rules 3510 and 3520 Addressing BCPs and Emergency Contact Information
In the days and weeks following September 11, 2001, the securities markets and industry showed an impressive ability to recover and continue business. To learn from the events of this period, NASD surveyed randomly selected members to gauge the industry's recovery capabilities in greater detail to determine, among other things, whether any regulatory action was needed to assure swift recovery in the event of any future significant business disruptions.
The survey yielded valuable results. It showed that a significant number of NASD member firms did not have BCPs in place at the time, or had plans that did not provide coverage in certain areas, such as document back-up and customer access to accounts during an emergency. As a result, NASD determined that member firms would benefit from the implementation of a BCP that contained, at a minimum, the following ten key components:
These key components, along with industry feedback, were used to develop the new Rule 3500 Series (Emergency Preparedness) that requires members to establish emergency preparedness plans and procedures. The Securities and Exchange Commission (SEC) approved the rule series on April 7, 2004.1 NASD issued Notice to Members 04-37 in May 2004 to provide guidance to members regarding the implementation of the rules.
Rule 3510 (Business Continuity Plans) requires each member to create and maintain a written BCP identifying procedures relating to an emergency or significant business disruption that are "reasonably designed to enable the member to meet its existing obligations to customers" and enumerates certain requirements that each plan must address.2Rule 3510 further requires each member to update its plan upon any material change in operations, structure, business or location and, at a minimum, to conduct an annual review of its plan.3 Each member also must disclose to its customers how its BCP addresses the possibility of a future significant business disruption and how the member plans to respond to events of varying scope.4
Rule 3520 (Emergency Contact Information) requires each member to report to NASD prescribed emergency contact information for the member and update that information in the event of any material change.5 This is done electronically through NASD's Contact System (NCS).
Learning from Hurricanes Katrina and Rita
Following Hurricanes Katrina and Rita in 2005, NASD conducted a survey ("Katrina Survey" or "survey") of the business continuity planning of certain member firms impacted by these events. The objective of this voluntary survey was to assess the value of business continuity planning and to learn from these firms' experiences. The selected members included local, regional and national firms operating in affected areas of Louisiana, Mississippi and Alabama at the time of the hurricanes.
The Katrina Survey contained questions regarding the performance of firms' BCPs before, during and after Hurricanes Katrina and Rita. For various plan aspects, the survey asked firms to rank the performance of their BCPs and to provide feedback on their experiences. Overall, the Katrina Survey helped provide insight into business continuity planning that was effective and ineffective during these events. Firm responses also provided guidance about specific business functions and tools that performed successfully, as well as those that did not. In this regard, the results offered in this Notice are provided as guidance to members to use as they deem appropriate. The information does not create new rules or obligations on members, nor does the implementation of any or all of the guidance create a "safe harbor" relative to any NASD rules.
Discussion
Input from firms that found their business continuity planning effective during Hurricanes Katrina and Rita:
Input from firms that found their business continuity planning was not effective enough to compensate for the effects of Hurricanes Katrina and Rita:
The survey also sought to learn specific lessons based on the experiences of member firms during Hurricanes Katrina and Rita. Members responding to the survey provided suggestions, feedback and advice borne from these experiences.
What some firms found helpful during the events of Hurricanes Katrina and Rita:
What some firms found least useful/helpful during Hurricanes Katrina and Rita:
Firm Feedback regarding NASD's BCP Tool, Templates and Related Resources:
Member firms were asked in the Katrina Survey to assess NASD's post-disaster response as well as to rate NASD's BCP guidance. The overall response was positive with firms saying NASD was "flexible," "accommodating" and "realistic." Firms stated they found NASD's BCP guidance to be satisfactory.
Resources Available through NASD
NASD continues to provide multiple BCP tools, templates and related resources on its Web site,
www.nasd.com/RulesRegulation/IssueCenter/BusinessContinuityPlanning/index.htm.
These online resources include:
Common Findings from NASD Examinations
Members have generally been in compliance with the requirements of NASD Rules 3510 and 3520 since implementation in 2004. Many have used the NASD Small Firm Business Continuity Plan Template to develop plans. Nonetheless, there have been areas of concern related to business continuity uncovered during NASD examinations that include:
Summary of Survey Results
Based on the Katrina Survey results, firms found they were impacted in different ways by Hurricanes Katrina and Rita. Their experiences varied depending on the firm's size and preparedness. Smaller firms with fewer relative resources faced the most severe impacts. Some of these small firms benefited from strong relationships with their respective clearing firms, which in turn were able to take calls and handle customer needs during the emergency. Medium-size and larger firms had additional staff and resources to absorb the storms' impacts, including established and fully functional alternate business locations outside of the directly impacted areas.
Regardless of a firm's size or impact proximity, firms with well-tested BCPs found they faced minimal disruption. For example, firms of various sizes and resources operating inside the city of New Orleans that had thoroughly developed and tested their plans encountered fewer disruptions than less prepared firms operating outside of directly impacted areas. In this regard, the results of the survey captured in this Notice may assist members in better preparing for emergencies or significant business disruption caused by events such as fire, flood, wind and earthquake, a disruption involving power or property, or an unknown variable. Preparation and practice, as evidenced by the results of the Katrina Survey, will support a firm's ability to address the needs of all constituents during a time of crisis.
1See Securities Exchange Act Release No. 49537 (Apr. 7, 2004), 69 Fed. Reg. 19586 (Apr. 13, 2004) (SEC Notice of Order Approving File No. SR-NASD-2002-108).
2Rule 3510(a) and (c).
3Rule 3510(b). Each member must designate a member of senior management who is also a registered principal to approve the plan and be responsible for conducting the required annual review. Rule 3510(d).
4Rule 3510(e).
5 In addition, each member must review and, if necessary, update the member's emergency contact information within 17 business days after the end of each calendar quarter. See Rule 3520(b).