February 12, 2003
The Honorable David M. Walker The Honorable Harvey L. Pitt Dear Messrs. Walker and Pitt: We are writing with reference to the recent U.S. General Accounting Office (GAO) report, Potential Terrorist Attacks: Additional Actions Needed to Better Prepare Critical Financial Market Participants (GAO-03-251, February 12, 2003), which was prepared at our request, pursuant to the Rule X and XI jurisdiction of the Committee on Energy and Commerce over telecommunications, electronic commerce, and the reliability of all power. The financial markets and the many organizations active in those markets are critically dependent on telecommunications services for transmitting the data and voice services necessary to operate. The September 11, 2001, terrorist attacks extensively damaged the telecommunications infrastructure serving lower Manhattan--most of this damage occurred when 7 World Trade Center collapsed into a major telecommunications center at 140 West Street operated by Verizon -- and also caused major power outages, severely disrupting U.S. financial markets and causing the longest closure of the stock markets since the 1930s. The GAO report discusses in great detail the impact of the attacks on telecommunications infrastructure and power providers, these providers recovery efforts, and the efforts of financial regulators and market participants to improve telecommunications resiliency (see Chapter 2 at pages 38- 43 and Appendices I and II). Ongoing concerns about our Nations vulnerability to further terrorist attacks make prompt and effective action on these matters imperative. We salute the heroic efforts of the regulators, exchanges, clearing organizations, broker-dealer firms, telecommunications, and power providers, and nameless individuals in restoring operations as quickly as possible. The GAO report, however, chronicles critical shortcomings that leave the U.S. financial markets extremely vulnerable in the event of another wide-scale disaster. For example, GAO found that nine of the 15 exchanges, clearing organizations, ECNs (electronic communications networks), and payment system providers that GAO examined, including two critical organizations, were at great risk of experiencing an operations disruption because their business continuity plans did not address how they would recover if a physical attack on their primary facility left a large percentage of their staff incapacitated. Four organizations had no backup facilities and six had facilities located between two to 10 miles from their primary sites. Few had tested their backup plans. Accordingly, while we commend all parties for the steps that they have taken thus far to shore up physical and information security and business continuity plans, more remains to be done. GAO recommends that the SEC work with industry to:
In addition, the GAO report contains recommendations to improve SECs oversight of information technology issues. We generally support the GAOs recommendations. We also support additional SEC resources for this important task. We also respectfully request that GAO (1) continue to monitor progress in this area and (2) submit a follow up report in January 2004, on the status of these efforts and the need for any further actions. Thank you for your attention to this critical matter. Sincerely,
cc: The Honorable Jan
Schakowsky, Ranking Member
| |||
|