Financial Regulators Release Post-Sandy Best Practices for Business Continuity

Author: Melissa Burdorf, XpertHR Legal Editor

August 19, 2013

The Commodity Futures Trading Commission (CFTC), the Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) joined together and released a staff advisory on disaster recovery and business continuity plans (BCPs). The advisory comes in the midst of hurricane season, and after the three financial regulators reviewed the large-scale effects of Superstorm Sandy on Wall Street in October 2012 (e.g., the storms impact on trading, customer relations, financial and regulatory obligations and operations).

Following Superstorm Sandy, US equity and option markets were closed for two days and employers were uneasy forcing employees to travel into the Wall Street area in unsafe weather conditions. 1888 was the last time weather forced closed the New York Stock Exchange for two consecutive days. The regulators looked at how financial firms implemented BCPs during Superstorm Sandy and compiled a list of best practices with the hope that employers will review it and implement their suggested best practices in their own BCPs and procedures.

As Gary Barnett, Director of the CFTC's Division of Swap Dealer and Intermediary Oversight said:

With this joint effort, we were able to leverage the experience of the entire industry to spread knowledge of best practices and identify areas that need improvement to help our firms be better prepared and better able to respond to disasters.

The regulators strongly suggest that employers be proactive and put in place effective BCPs and practices to help improve responses to - and reduce recovery time after - significant large scale events like Sandy. For example, the advisory suggests that employers plan for:

  • Widespread disruptions to their business;
  • Alternative locations for employees to work (e.g., allowing employees to work from home, ensuring adequate staffing during a crisis);
  • Disruptions in telecommunications services, technology, power, transportation and other services (e.g., where back-up data centers should be located);
  • Communication issues (e.g., how to communicate with employees, customers and regulators during severe weather, system for updating information on website); and
  • Regulatory and compliance issues (e.g., ensuring that BCP includes/complies with regulatory requirements).