FINRA Provides Guidance on Pandemic Preparedness
Business Continuity Planning
Executive Summary
In response to the outbreak of influenza A (H1N1) or swine flu, FINRA conducted a survey of certain firms to determine pandemic preparedness. This Notice describes the results of the survey, and is designed to help firms understand the concerns and risk-mitigating actions and take appropriate measures to prepare for the effects of a pandemic. This Notice also addresses areas of regulatory guidance that FINRA has provided during previous significant business disruptions.
The information in this Notice does not create new rules or obligations on firms, nor does the implementation of any or all of the guidance create a "safe harbor" relative to any FINRA rules or other securities regulations.
Questions or comments concerning this Notice may be directed to Terry Miller, Member Regulation, at (202) 728-8159.
Background & Discussion
2009 Pandemic Survey
In light of current events involving H1N1 swine flu, FINRA conducted a survey of selected firms to determine preparedness for a global pandemic or similar disaster.1 This survey continues FINRA's efforts to assist firms with business continuity planning by facilitating the exchange of information. The pandemic survey was modeled on the survey FINRA conducted following Hurricanes Katrina and Rita in 2005. The 2005 survey resulted in NTM 06-74, which provided valuable insight into effective business continuity planning and implementation.
As part of having a comprehensive business continuity plan, firms must conduct their own operational risk analysis to determine their vulnerability to various types of business disruptions, such as a pandemic, hurricane, earthquake, flood or cyber event.2 In the case of a pandemic, however, all firms are susceptible in some form to this type of business disruption. The extent to which they need to prepare for one depends on, among other things, the size of the firm, its office locations, its counterparty and service provider relationships, and the nature of its business.
FINRA is publishing this Notice to raise awareness of the regulatory and compliance issues surfaced by firms in the pandemic survey. Additionally, this Notice considers comments made in response to NTM 06-31 (NASD Requests Comment on Regulatory Relief that Should Be Granted in Response to a Possible Pandemic or Other Major Business Disruption). Depending on the nature and impact of a pandemic, FINRA may provide specific guidance on regulatory and compliance issues similar to the guidance FINRA has provided during previous significant business disruptions. Firms must not, however, prepare for the effects of a pandemic with the presumption that such regulatory guidance will come in the form of relief from compliance with rules and regulations.
Pandemic Survey Results and Discussion
The survey found that most respondents identified multiple events that could trigger implementation of their plans, indicating measured or tiered approaches to a pandemic depending on facts and circumstances. Many respondents indicated they have updated their plans to reflect developments related to H1N1, such as this virus' low death rate versus its high virulence or ability to spread infectiously (as of the publication date of this Notice).
FINRA also found that some firms have partnered with federal, state and local health organizations to obtain better information and priority access to medications and vaccines. Many firms have performed pandemic planning drills, such as simulations, tabletop exercises, structured walkthroughs or the Financial Services Sector Coordinating Council,3 Financial Services Authority4 or Monetary Authority of Singapore pandemic exercises. And some firms performed technology-related planning exercises, such as testing remote access permissions and abilities, backup location readiness and the ability to conduct production-level business.
Eighty-nine percent of survey respondents indicated their pandemic plans are working well or very well and 97 percent indicated their BCPs address the most significant challenges likely to be faced during a pandemic. Only 4 percent of survey respondents indicated they had experienced above-average absenteeism due to H1N1.
The following chart details the types of pandemic plan triggers noted by survey respondents, including World Health Organization (WHO) Phase declarations5 and Center for Disease Control (CDC)6 guidance.
Twenty percent of responses indicating "Other" triggers referenced such events as employees or their family members contracting the virus, infections in the vicinity of firm, actions by local governments and health agencies, and directions from the broker-dealer's parent company. As noted, many firms have updated their plans' triggers to include events more relevant to their situation.
Business Challenges
The three most significant challenges respondents identified as likely during a serious pandemic outbreak were absenteeism (25%), telecommunications disruptions (12%) and remote work arrangements (12%). Additional concerns included commuting (9%), provision of customer service (8%), transportation (6%), trade clearance and settlement (5%), counterparties (4%), market volatility (4%), regulatory filings (4%), power disruptions (2%) and access to online accounts (1%).
Regulatory Guidance
A majority of survey respondents indicated regulatory guidance they might request would depend on the facts and circumstances of a pandemic, including scope, duration, severity and the potential impact of deep and prolonged absenteeism. Respondents believed the two most beneficial areas of regulatory guidance in the event of a serious pandemic would relate to regulatory filings (11%) and continuing education (10%). Additionally, firms indicated potential interest in regulatory guidance relating to emergency office locations (9%), registration filings (9%), supervision (9%), books and records (8%), FOCUS filings (8%), qualification examinations (7%), communications (6%), and credit/margin regulation (4%). Eight percent of responses indicated other areas of potential guidance relating to order handling, best execution, prompt processing and forwarding requirements, providing customers access to funds and overall time extensions. NTMs 05-57 and 07-49, issued after Hurricane Katrina and the California Wildfires, respectively, provide context around the types of regulatory guidance FINRA would likely consider in the event of a pandemic.
Activation of Plan Actions or Protocols
Survey respondents have activated the following pandemic plan actions or protocols in response to H1N1:
Regulatory and Business Considerations
As noted above, survey respondents ranked absenteeism, remote work arrangements and telecommunications disruptions as the three most significant challenges likely to be faced during a pandemic. These and other related topics that firms may need to consider in drafting and/or refining their pandemic plans are discussed below.
Absenteeism
One of the most immediate impacts of a full-blown pandemic will be increased employee absenteeism, either voluntary or forced. Absentee rates could reach into the double digits during a pandemic and the federal government has recommended that companies plan for 40 percent of their staff being absent for a two-week period at the height of a pandemic.7 Personnel will stay away from work to care for themselves or dependents, or because they are concerned about falling ill or spreading the virus. Transportation difficulties leading to absenteeism would arise in a pandemic, as noted by one firm with 25 percent of its employees relying on public transportation. Government agencies may seek to limit the spread of the virus by implementing school closures and international and/or domestic travel restrictions or quarantines.
Firms must ensure they prepare for the continuity of operations in light of increased absenteeism, which presents unique vulnerabilities in cases where vital institutional knowledge is vested in specific personnel. In such cases, firms could cross-train employees or create step-by-step instructions so that other employees can fulfill the functions of absent ones.
Telecommuting
During such a period of heightened absenteeism, increased stress on telecommunications networks is expected as adults work from home and out-of-school children "surf" the Internet. Many survey respondents indicated that they believe they have taken appropriate measures to ensure telecommunications and remote work arrangements will function as designed and intended during a pandemic but that they remain vulnerable to telecommunications disruptions. One firm obtained dedicated, priority broadband service for the homes of those employees it determined were most critical. The reliability of such service exceeds that of regular home and business Internet service. The firm selected representatives from various groups and departments across the firm to receive this dedicated service. Additionally, this firm negotiated employee discounts on business-level Internet service. Overall, the firm proactively confronts the potential challenge of a stressed telecommunications network by having layers of telecommunications redundancy, including dedicated service, business and home networks, wireless cards and Blackberries/PDAs residing on multiple carriers.
Due to the heavy reliance on telecommuting in pandemic plans, many firms noted the importance of testing the assumptions and support structures on which their plans are based. Respondents have tested remote access capabilities and backup sites and servers by moving back office, trading and IT personnel to recovery locations to confirm functionality. Some firms even performed production-level activities in a live environment from recovery locations. One firm conducted a test of its system capacity and user knowledge by having over 1,000 users simultaneously attempt remote work. The firm followed this test with a survey to determine lessons learned from the employee perspective. Even with robust testing, however, firms noted they remain vulnerable to telecommunications networks being overwhelmed in a full-blown pandemic.
The Department of Homeland Security (DHS) conducted a study in 2007 on the impact of a deadly pandemic on the nation's communication network. It was recognized that telecommuting would be a "key component of the national response to pandemic influenza." The study identified potential telecommunications congestion points, recommended preparations and best practices, and modeled pandemic impacts at multiple levels of severity. Firms are encouraged to review this study, as well as the information on FINRA's BCP and pandemic Web pages (see www.finra.org/bcp), and update their plans accordingly. Below are some key findings from the DHS study.
| Potential Congestion Points and Associated Risks | |
| For Enterprise Networks | Remote access resources, such as VPN and firewalls, may be overloaded |
| Remote access applications, such as webmail, may be overloaded | |
| Servers may only be able to handle a limited number of outside connections | |
| For Residential Internet Access Networks | Competition between telecommuters and recreational users for bandwidth |
| Network service provider capacity is oversubscribed in the range of 10:1 → 100:1 | |
| Recommended Preparations and Best Practices | |
| For Enterprise Networks | Limit remote access to critical users and applications |
| Disable multimedia and social networking capabilities during critical periods | |
| Obtain Telecommunication Service Provider (TSP) status and capabilities through the Department of Homeland Security | |
| For Telecommuters | Critical users should not rely on residential Internet access and should secure premium or dedicated service |
| Practice bandwidth-saving through actions such as transferring large amounts of data at night and logging off corporate VPN connections when not in use | |
| Stagger telecommute arrangements by scheduling employees to remote-work at designated times during the day/night in order to disperse and equalize bandwidth requirements | |
It is important to note that many of the preparations and best practices recommended by the DHS study would need to be designed, configured, enabled or implemented prior to the outbreak of a pandemic in order to be effective. FINRA recommends that firms consult their IT personnel as part of their pandemic planning.
Additionally, the DHS survey addresses the heightened cyber-security risk likely present during an outright pandemic due to the significant increase in online users. For example, the study notes that personnel normally protected by corporate firewalls and IT departments would need to rely on the security of their own home networks. The DHS study includes cyber-security best practices both for business and home users.
Remote Work Arrangements
Many firms intend to employ a number of techniques to help limit the spread and impact of a virus. According to survey respondents, social distancing is a preferred method and may include travel restrictions, employee quarantining, revised sick leave policies, special pandemic leave time or specialized seating plans for densely populated floors/buildings. Many techniques will involve remote work arrangements, such as working from home or a backup/recovery location. Since associated persons may need to work from remote locations during a pandemic, it is important that firm's supervisory systems are adequately designed to provide reasonable supervision of employees' activities (regardless of their functions) while working from remote locations.
Annual Review, Testing and Updating
FINRA recognizes that it can be challenging to prepare for an event that has yet to fully materialize. As one survey respondent noted, "predictions of a pandemic are unreliable." FINRA's BCP rule requires firms to conduct an annual review of their BCPs to determine if any modifications are necessary. Testing is not only an important component of the annual review, but it is also essential to the construction and maintenance of an effective BCP program. For example, a firm may test the functionality of back-up technology or of a designated "emergency personnel team" in a simulated business disruption such as a pandemic outbreak. Testing in such a manner would help a firm determine whether it has met the "reasonably designed" threshold of FINRA's BCP rule. As noted in NTM 06-74, which describes firms' experiences involving Hurricanes Katrina and Rita, those firms that had thoroughly tested their BCPs faced minimal disruptions. Firms that had not performed adequate testing encountered unanticipated problems, such as servers and systems incapable of handling workload and capacity requirements. Additionally, basic testing should ensure relevant staff has appropriate access, permissions and connectivity to allow them to function successfully from recovery sites and remote locations. While preparing for an unpredictable event can be challenging, testing is an effective risk-reduction method.
One respondent, who had not tested the firm's pandemic plan, indicated the plan was theory-based rather than providing detailed, practical guidance and instruction to employees. As such, the firm had not tested its plan because there was little tangible material to test. With the outbreak of H1N1, the firm found the general concepts of its pandemic plan were not useful. The firm has since begun updating its pandemic plan to provide more useful information to staff.
As noted above, numerous firms indicated they have updated their plans based on the behavior of H1N1. Many firms originally had their plans' triggers based on WHO pandemic declarations. In practice, however, some firms found WHO H1N1 declarations to be disconnected from their local situation. These firms have since updated their plans to include more relevant triggers based on local events, such as local health department guidance and school closings.
Key Dependencies
Firms need to identify their key dependencies and the risks a pandemic poses to these relationships. Key dependencies and critical relationships may be both internal and external to the firm. They may include dependencies on clearing firms, telecommunications networks, outsourcing/off-shoring providers, internal departments, mail service, utilities or other counterparties. As an example, reports in the media discussed the impact of H1N1 on an Indian outsourcing company, which in turn had outsourced to lower-cost Mexico. Due to H1N1, workers in Mexico were forced into remote work arrangements, in turn impacting the level of service contracted by a U.S. firm through the Indian company. In NTM 05-48, FINRA reminds firms that outsourcing covered activities in no way diminishes a firm's responsibility for either its performance or its full compliance with all applicable federal securities laws and regulations, and FINRA and MSRB rules. Firms should consider updating service-level agreements with their vendors, if they have not done so already, to address the potential impacts of a pandemic. Whether a key dependency is internal or external, firms must understand where a pandemic may concurrently impact a critical relationship.
Partnering with Local Health Departments
Many respondents discussed how their local health departments, upon the encouragement of the CDC, have become allies and integral parts of their pandemic planning and response. Local health departments have sponsored scenario tabletop exercises, educated firm employees and agreed to provide real-time information on the local impacts of H1N1 to respondents so that they may respond to the pandemic accordingly.
One firm has taken its cooperation with local health officials to a beneficial level. This firm became a "closed point of dispensing" site (also known as a "closed POD"). Under this arrangement, local health authorities, in partnership with the CDC, will dispense or "push" enough doses of the pandemic vaccine to immunize the firm's employees and their immediate families. This push method allows for local health officials to target certain population groups through advance planning. During the height of a pandemic, local health officials will not need to worry about vaccinating these groups in the traditional "pull" method, in which the public is pulled into vaccination clinics. The pull method is more labor and planning intensive for local health officials because so many variables, such as location, staffing and supplies, are unknown. To learn more about the closed (or push) point of dispensing program, contact your local city, county/parish or state health officials.
Summary
The survey results indicate that many firms have taken seriously the issue of pandemic preparedness. Almost all respondents have conducted a review of the potential impact of a pandemic and have BCPs specifically addressing a pandemic. The majority of firms that responded to the survey have also tested their pandemic plans. While these results are encouraging, firms must continue to prepare for the potential effects of a pandemic.
Survey responses highlight the importance of plan testing and employee cross-training. Responses also note the importance of having a comprehensive telecommunications strategy designed to address predicted Internet traffic congestion and slowdowns. Firms should take advantage of the useful and pertinent information provided by their peers and highlighted in this Notice and on FINRA's BCP and Pandemic Web pages at www.finra.org/bcp. Importantly, remember that many of the preparations and practices noted by survey respondents would need to be enacted prior to the outbreak of a pandemic in order to be effective.
1 Approximately 150 firms, including clearing and carrying firms and those with significant trading or retail operations, were asked to participate in this survey. 109 firms responded to the survey with some electing not to answer every question.
2 NASD Rules 3510 (Business Continuity Plans) and 3520 (Emergency Contact Information) comprise the NASD Rule Series 3500 (Emergency Preparedness) and require, among other things, that firms establish a written business continuity plan identifying procedures relating to an emergency or significant business disruption and report to FINRA, via such electronic or other means as FINRA may specify, prescribed emergency contact information that includes the designation of two emergency contact persons.
The SEC recently approved the adoption of NASD Rules 3510 and 3520 as FINRA Rule 4370 (Business Continuity Plans and Emergency Contact Information). See Exchange Act Release No. 60534 (August 19, 2009); 74 FR 44410 (August 28, 3009). FINRA will announce the effective date of FINRA Rule 4370 in a Regulatory Notice published pursuant to the protocol FINRA has established for announcing the effective date of new FINRA rules that are being adopted as part of the consolidated rulebook (Consolidated FINRA Rulebook). See Information Notice 10/6/08.
3 The Financial Services Sector Coordinating Council is affiliated with the Department of Homeland Security and was established to address the protection of critical US infrastructure.
4 The Financial Services Authority is the United Kingdom's independent, non-governmental regulatory body charged with maintaining market confidence, promoting public awareness, protecting consumers and reducing financial crime.
5 For information on the WHO pandemic phase descriptions, visit: http://www.who.int/csr/disease/influenza/GIPA3AideMemoire.pdf
6 The CDC, which is part of the Department of Health and Human Services, serves as the national focus for developing and applying disease prevention and control, environmental health, and health promotion and health education activities designed to improve the health of the people of the United States.
7 Homeland Security Council. National Strategy for Pandemic Influenza Implementation Plan. May 2006.