<DOC> [109th Congress House Hearings] [From the U.S. Government Printing Office via GPO Access] [DOCID: f:26505.wais] FINANCIAL SERVICES SECTOR PREPAREDNESS ======================================================================= HEARING before the SUBCOMMITTEE ON GOVERNMENT MANAGEMENT, FINANCE, AND ACCOUNTABILITY of the COMMITTEE ON GOVERNMENT REFORM HOUSE OF REPRESENTATIVES ONE HUNDRED NINTH CONGRESS FIRST SESSION __________ SEPTEMBER 26, 2005 __________ Serial No. 109-124 __________ Printed for the use of the Committee on Government Reform Available via the World Wide Web: http://www.gpoaccess.gov/congress/ index.html http://www.house.gov/reform ______ U.S. GOVERNMENT PRINTING OFFICE 26-505 WASHINGTON : 2006 _____________________________________________________________________________ For Sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512ÿ091800 Fax: (202) 512ÿ092250 Mail: Stop SSOP, Washington, DC 20402ÿ090001 COMMITTEE ON GOVERNMENT REFORM TOM DAVIS, Virginia, Chairman CHRISTOPHER SHAYS, Connecticut HENRY A. WAXMAN, California DAN BURTON, Indiana TOM LANTOS, California ILEANA ROS-LEHTINEN, Florida MAJOR R. OWENS, New York JOHN M. McHUGH, New York EDOLPHUS TOWNS, New York JOHN L. MICA, Florida PAUL E. KANJORSKI, Pennsylvania GIL GUTKNECHT, Minnesota CAROLYN B. MALONEY, New York MARK E. SOUDER, Indiana ELIJAH E. CUMMINGS, Maryland STEVEN C. LaTOURETTE, Ohio DENNIS J. KUCINICH, Ohio TODD RUSSELL PLATTS, Pennsylvania DANNY K. DAVIS, Illinois CHRIS CANNON, Utah WM. LACY CLAY, Missouri JOHN J. DUNCAN, Jr., Tennessee DIANE E. WATSON, California CANDICE S. MILLER, Michigan STEPHEN F. LYNCH, Massachusetts MICHAEL R. TURNER, Ohio CHRIS VAN HOLLEN, Maryland DARRELL E. ISSA, California LINDA T. SANCHEZ, California JON C. PORTER, Nevada C.A. DUTCH RUPPERSBERGER, Maryland KENNY MARCHANT, Texas BRIAN HIGGINS, New York LYNN A. WESTMORELAND, Georgia ELEANOR HOLMES NORTON, District of PATRICK T. McHENRY, North Carolina Columbia CHARLES W. DENT, Pennsylvania ------ VIRGINIA FOXX, North Carolina BERNARD SANDERS, Vermont JEAN SCHMIDT, Ohio (Independent) ------ ------ Melissa Wojciak, Staff Director David Marin, Deputy Staff Director Rob Borden, Parliamentarian Teresa Austin, Chief Clerk Phil Barnett, Minority Chief of Staff/Chief Counsel Subcommittee on Government Management, Finance, and Accountability TODD RUSSELL PLATTS, Pennsylvania, Chairman VIRGINIA FOXX, North Carolina EDOLPHUS TOWNS, New York TOM DAVIS, Virginia MAJOR R. OWENS, New York GIL GUTKNECHT, Minnesota PAUL E. KANJORSKI, Pennsylvania MARK E. SOUDER, Indiana CAROLYN B. MALONEY, New York JOHN J. DUNCAN, Jr., Tennessee Ex Officio HENRY A. WAXMAN, California Mike Hettinger, Staff Director Tabetha Mueller, Professional Staff Member Adam Bordes, Minority Professional Staff Member C O N T E N T S ---------- Page Hearing held on September 26, 2005............................... 1 Statement of: Allen, Catherine, chief executive officer, BITS, the Financial Services Roundtable; Donald Donahue, chairman, Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security; Samuel Gaer, chief information officer, New York Mercantile Exchange, Inc., chief executive officer, NYMEX Europe Limited; and Steve Randich, executive vice president of operations and technology and chief information officer, the NASDAQ Stock Market, Inc............................... 60 Allen, Catherine......................................... 60 Donahue, Donald.......................................... 88 Gaer, Samuel............................................. 101 Randich, Steve........................................... 114 Kelly, Raymond, police commissioner, city of New York........ 6 Parsons, D. Scott, Deputy Assistant Secretary, Critical Infrastructure Protection and Compliance Policy, Department of the Treasury; R. James Caverly, Director, Infrastructure Coordination Division, Department of Homeland Security; and Daniel Muccia, first deputy superintendent of banks, State of New York Banking Department............................. 22 Caverly, R. James........................................ 30 Muccia, Daniel........................................... 41 Parsons, D. Scott........................................ 22 Letters, statements, etc., submitted for the record by: Allen, Catherine, chief executive officer, BITS, the Financial Services Roundtable, prepared statement of....... 65 Caverly, R. James, Director, Infrastructure Coordination Division, Department of Homeland Security, prepared statement of............................................... 33 Donahue, Donald, chairman, Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security, prepared statement of............... 90 Gaer, Samuel, chief information officer, New York Mercantile Exchange, Inc., chief executive officer, NYMEX Europe Limited, prepared statement of............................. 105 Kelly, Raymond, police commissioner, city of New York, prepared statement of...................................... 9 Muccia, Daniel, first deputy superintendent of banks, State of New York Banking Department, prepared statement of...... 42 Parsons, D. Scott, Deputy Assistant Secretary, Critical Infrastructure Protection and Compliance Policy, Department of the Treasury, prepared statement of..................... 24 Platts, Hon. Todd Russell, a Representative in Congress from the State of Pennsylvania, prepared statement of........... 3 Randich, Steve, executive vice president of operations and technology and chief information officer, the NASDAQ Stock Market, Inc., prepared statement of........................ 116 FINANCIAL SERVICES SECTOR PREPAREDNESS ---------- SEPTEMBER 26, 2005 House of Representatives, Subcommittee on Government Management, Finance, and Accountability, Committee on Government Reform, Brooklyn, NY. The subcommittee met, pursuant to notice, at 10:07 a.m., at the Brooklyn Law School, 250 Joralemon Street, Brooklyn, NY, Hon. Todd Russell Platts (chairman of the subcommittee) presiding. Present: Representatives Platts and Towns. Staff present: Michael Hettinger, staff director; Tabetha Mueller, professional staff member; Daniel Daly, counsel; and Adam Bordes, minority professional staff member. Mr. Platts. A quorum being present, this hearing of the Committee on Government Reform Subcommittee on Government Management, Finance, and Accountability will come to order. I'd like to thank first the Brooklyn School of Law and my esteemed colleague and ranking member of our subcommittee, Mr. Towns, for hosting this field hearing here in Brooklyn. We're here in New York because this is the heart of our Nation's financial sector. On September 11, 2001, terrorists destroyed the World Trade Center in an attempt not just to murder and maim, but to dismantle our economy. With the backdrop of two destructive hurricanes, we see that any disaster, whether natural or man made, requires us to be well prepared. This hearing is about the preparedness of the financial sector in particular. The rapid recovery of the financial infrastructure after September 11th inspired confidence throughout America. The U.S. Treasury securities market opened just 2 days later and the equities market was in full operation by September 17th. Still, Congress, the executive branch and industry realized that financial firms would need new contingency plans. The Federal Government in partnership with local governments and the private sector responded with a variety of initiatives. Many of these post September 11th improvements were tested during the massive power blackout on August 14, 2003. All indications after the blackout were that improvements put in place after September 11th helped mitigate the damage that could have resulted from the infrastructure shutdown and panic the blackout caused. These results are encouraging. The purpose of this hearing is to examine the present status of financial market preparedness for wide scale disasters or disruptions, including efforts aimed at prevention, detection and response. This hearing will provide local, State and Federal Government officials and representatives from the private sector a chance to discuss accomplishments and identify areas where improvements and resources are still needed. [The prepared statement of Hon. Todd Russell Platts follows:] [GRAPHIC] [TIFF OMITTED] T6505.001 Mr. Platts. We have a very distinguished group of witnesses, beginning with Mr. Raymond W. Kelly, police commissioner for the city of New York. Commissioner Kelly, thanks for being with us. Mr. Kelly. Thank you, sir. Mr. Platts. Commissioner Kelly will be followed by Mr. D. Scott Parsons, Deputy Assistant Secretary for Critical Infrastructure Protection and Compliance Policy from the U.S. Department of Treasury; Mr. R. James Caverly, Director of the Infrastructure Coordination Division at the U.S. Department of Homeland Security and Mr. Daniel A. Muccia, first deputy superintendent of banks from the State of New York Banking Department. On our third panel will be Ms. Katherine Allen, chief executive officer of BITS, the Financial Services Roundtable and Mr. Donald Donahue, chairman of the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security; Mr. Samuel Gaer, chief information officer for the New York Mercantile Exchange; Mr. Steve Randich, executive vice president of operations and technology and chief information officer for the NASDAQ stock market. Thank you again all for being here today and we look forward to your testimony. I'm pleased now to yield to our ranking member, the gentleman from New York, Mr. Towns, for purposes of an opening statement. Mr. Towns. Thank you very much, Mr. Chairman. Thank you for holding this hearing today in Brooklyn. I'd also like to thank our police commissioner, Mr. Kelly, which I'd say is the finest commissioner this city has ever known or seen. He's done a fantastic job over the years. Always a pleasure to see you here. Mr. Kelly. Thank you, sir. Mr. Towns. I'm pleased to welcome our Government Management Subcommittee to our home town, Brooklyn, NY, New York and look forward to our distinguished panel from both the public and private sectors. The financial capital of the world, New York remains a vital component of economic growth, both domestically and abroad. Although political and economic alterations have shaped and changed the marketplace in recent years, banks, brokers, government lenders and Wall Street have remained the backbone of our capital and currency markets from Brooklyn to Beijing. The New York Stock Exchange alone accounts for approximately 2,800 companies with a combined market capitalization of nearly $20 trillion. On an average day the New York Stock Exchange trades nearly 1\1/2\ billion shares for an average daily dollar volume of roughly $50 billion. Stock and equity instruments, however, are not the only source of economic reliability for our markets. Future commodities and options trading at places such as the New York Mercantile Exchange serve as a major investment vehicle among institutional investors, pension funds and economic forecasters for domestic and foreign companies. Imagine the crisis our domestic manufacturers or agricultural sectors would be faced with if they did not have access to a viable commodities trading platform for energy products. Recent events, however, beginning with the tragedy of September 11, 2001 have forced both government and industry at all levels to reevaluate how well we are prepared to maintain stability and continuity in the marketplace should another disaster occur. Such events are not only fiscal in nature, as electronic attacks on our electricity and telecommunication grids can prove as consequential and costly as a physical attack. The government and private sector have appropriately embraced the need for stronger planning and coordination of activity since September 11th and have successfully begun to incorporate risk-based activities in their plans to reduce the threats facing industry and the physical infrastructure, human capital and personnel and information sharing capabilities. Backup systems and fiscal entities separate from current operations are now common among brokerage houses and trading platforms. Nevertheless, the various types of threats facing our financial services sector require planning at not only the Federal level, but at the State and local levels of government as well. While the Department of Homeland Security may coordinate information sharing activities and threat level analysis, it would require the Metropolitan Transportation Authority, the New York PD and the Office of Emergency Management to execute a broad-based evacuation of Wall Street or southern Manhattan in the event of a physical attack within the surrounding area. These activities would require State authorities to reconfigure travel patterns on interstate highways and area bridges to insure safety and orderly evacuation activities. Furthermore, the functionality and reliability of our telecommunication electricity and pipeline grids will require both Federal and State coordination of activities in order to remedy and preserve the security of our energy resources in the wake of a disaster. From this perspective, I hope our witnesses can demonstrate for us a clear delineation of responsibilities among both government and regulators and private sector participants. An underlying tenet of our market-based model is the level of trust and transparency investors both large and small can place in our institutions. It is our responsibility for planning and executing an adequate level of security and reliability for market activities that is shared at all levels of government in concert with private sector participants. Thus, I hope our witnesses will speak to this blueprint of coordination, execution and transparency to insure that our market remains the bedrock of economic growth for centuries to come. Again, I'd like to thank all the witnesses for appearing today, and on that note, Mr. Chairman, I yield back. Mr. Platts. Thank you, Mr. Towns. We'll commence with the testimony of Commissioner Kelly. If you don't mind, would you please stand and be sworn in? [Witness sworn.] Mr. Platts. We'll note that the Commissioner affirmed the oath in the positive. We'll proceed, we have a general guideline of about 5 minutes, but, Commissioner, we're delighted to have you here and the expertise you have, he may be giving you some guidance on time, but we really would like to you take whatever time you need to share your insights with us. STATEMENT OF RAYMOND KELLY, POLICE COMMISSIONER, CITY OF NEW YORK Mr. Kelly. Thank you very much, Mr. Chairman and Congressman Towns. Good morning and thank you for inviting me today. Defending this city, the financial capital of the world, from a terrorist attack is the No. 1 priority of the New York City Police Department. Accordingly, I'd like to focus my remarks today on the preventive measures the department is taking against this threat. As you know, one of the stated aims of Osama Bin Ladin and al-Qaeda is to target America's economy. Shortly after the September 11th attacks, bin Laden himself exulted in the massive blows suffered by the U.S. economy, offering in an interview his own estimation of over $1 trillion in losses. We have no doubt that he seeks to replicate that strike if possible. Since then, we learned of another plan to target financial institutions in New York. This after authorities discovered detailed surveillance of the Stock Exchange and the Citigroup Center in the laptop computer of an al-Qaeda operative captured in Pakistan last year. This followed two additional al-Qaeda plots to target the city in 2003; the first to bring down the Brooklyn Bridge and the second to smuggle weapons through a garment district business into the heart of Manhattan. These plots were foiled by increased police visibility and good intelligence sharing. I cite them as evidence that New York City remains squarely in the cross hairs. Consequently, nowhere else is the effort to prevent another attack being undertaken with greater urgency. In addition to the dollar cost, this has required that we divert 1,000 police officers to counter-terrorism duties every day, and engage in extensive training and preparation. We've also undertaken a range of defensive measures to protect and harden the downtown financial district and enlist the support of the private sector. Beginning in January 2002, we created a new bureau of counter-terrorism and we restructured our intelligence division. We've recruited outstanding individuals with extensive Federal intelligence and counter-terrorism experience to run them. We expanded our presence on the Joint Terrorist Task Force with the FBI and we posted detectives to seven other countries to enhance the flow of information we receive about any threats relevant to New York City. We established one of the premier counter-terrorism training centers in the Nation right here in Brooklyn. In addition to our own core of 37,000 police officers, we have delivered training through that center to the members of the New York City Fire Department, the Metropolitan Transportation Authority Police Department, New York State Police; Nassau, Suffolk, Westchester, Rockland County Police and other agencies. We have also brought in dozens of private security professionals from hotels, banks and other institutions and trained them to better protect their facilities. Through our Nexus program we are reaching out to businesses that terrorists might seek to exploit. We want businesses to report any unusual order or anomalies that might suggest terrorist involvement. Detectives have paid thousands of visits to businesses throughout the city to increase their counter-terrorism awareness. In July we launched a new initiative with the private security industry in New York called NYPD Shield. We are establishing a secure Web site with training materials and threat information updates and we have offered detailed briefings on topics such as the London bombing and the attacks on the Egyptian resorts at Sharm el Sheikh. We also exchange threat information daily with the city's corporate and institutional security directors through an instant messaging system. We have expanded the protection of critical infrastructure throughout the region. We have created the threat reduction and infrastructure protection program [TRIPS]. We've also divided critical infrastructure into five categories and assigned a team of detectives to cover each one. These investigators visit facilities throughout the city, identifying vulnerabilities and developing comprehensive protection plans with site managers to prevent attacks. In 2003, at the beginning of the war in Iraq, we implemented a comprehensive security plan known as Operation Atlas. Given the ongoing terrorist threat Atlas remains in effect today. Broadly speaking, Operation Atlas has tightened the protective net around the city by increasing vigilance at entry points into New York and by placing mass transit and other potential targets under much greater scrutiny. Turning to the financial district itself, beginning in 2002, the Police Department engaged in extensive collaboration with the New York Stock Exchange and downtown business leaders to harden the financial district. The area around the Exchange is the subject of 24-hour police presence under Operation Atlas, which includes visits by our heavily armed Hercules teams. We also established vehicle checkpoints at seven major intersections leading into the Exchange. Each is monitored by Stock Exchange security officers trained by the NYPD. Each checkpoint is outfitted with Police Department recommended equipment, including Delta barriers and sallyports to deter truck bombs; explosives screening points and bomb-resistant guard booths. Further protection is offered by dozens of retractable bollards and heavy planters that restrict pedestrian and vehicle blow. I want to note that as lower Manhattan continues to recover, and continues its rebuilding process, we plan to dedicate significant resources and personnel to keep pace with the growth of business. That includes the establishment of a coordination center where all relevant law enforcement agencies and the private sector will be represented. We look forward to Federal support of such an initiative. Mr. Chairman, any viable counter-terrorism program must stress prevention and response equally. And if, God forbid, New York City is struck again by terrorists or any other disaster, the Police Department will be prepared to respond immediately. We have trained approximately 12,000 of our officers in more advanced chemical, biological and radiological response to an attack involving weapons of mass destruction. We have also provided training to nearly all of our uniformed personnel in the New Citywide Incident Management System or SIMS, adopted last year by New York City. The system provides a unified command structure that allows the Police Department to work seamlessly with other first responders, including the Fire Department, for any disaster. We conduct daily exercises throughout the city in responding to a terrorist attack. This constant training and drilling paid off during the blackout of 2003, when the Police Department was mobilized to protect the city from looting and potential disorder. There were few arrests and disruptions were kept to a minimum. As you know, while overall evacuation planning is the responsibility of the city's Office of Emergency Management, the Police Department would play a major role in such an event. One of our most important responsibilities would be to secure key sites and protect life and property during and after a major incident. We're fully prepared to do that. On that note, I want to mention that last week we welcomed back the second half of the 300-plus police officer contingent we sent to Mississippi and New Orleans after Hurricane Katrina. These officers took part in search and rescue operations and patrolled against looters. Along with the pride and satisfaction from a job well done, the Police Department will undoubtedly learn from that experience and we dispatched another joint New York City Police Department and Fire Department team to Texas to assist there with Hurricane Rita. Finally, Mr. Chairman, I want to emphasize that all of our preparations come at a steep price; about 180 million per year to maintain our daily counter-terrorism and intelligence activity. These are ongoing operational costs to defend the city. While the Federal Government provides vital assistance for training, equipment and overtime, we still have huge expenses to cover. Regrettably, the influx of Federal support one would expect to flow to New York as a result of living in the cross hairs has not been sufficient. The Police Department is defending New York's people, its infrastructure and the Nation's financial assets from another terrorist attack, yet a large proportion of the Federal homeland security grant funding still is not targeted to threat. The Federal Government must invest realistically in protecting those areas the terrorists are likely to target again. Along with a few other major cities, New York tops that list. Everything we know about al-Qaeda tells us that this is true. It's a lesson from our history that we simply cannot afford to ignore. Thank you for inviting me today, Mr. Chairman. [The prepared statement of Mr. Kelly follows:] [GRAPHIC] [TIFF OMITTED] T6505.002 [GRAPHIC] [TIFF OMITTED] T6505.003 [GRAPHIC] [TIFF OMITTED] T6505.004 [GRAPHIC] [TIFF OMITTED] T6505.005 [GRAPHIC] [TIFF OMITTED] T6505.006 Mr. Platts. Thank you, Mr. Kelly, we appreciate your testimony and glad to have an exchange with you. Just this past week we saw with Mayor Bloomberg announcing the $6 million grant from the Department of Justice regarding the interoperations of communications, through the city and the surrounding counties and boroughs of New York and New Jersey and that certainly goes to part of your message about coordination and the ability to be on the same page. Can you expand a little bit on that effort and how that's building on the interoperable communications already in place since September 11th? Mr. Kelly. We actually had interoperability capability before September 11th and since September 11th it's been reinforced and practiced indeed. We emphasize and check our interoperability channels every day. What this gives us is the ability to communicate with the surrounding areas; particularly Essex County in New Jersey and Bergen County and Westchester County. So in the event that our resources from those counties need to come into New York City or we respond to their purposes, we can communicate more effectively. So it's certainly moving in the right direction. With support it will take perhaps about a year to get that function. We do have now interoperability with Nassau County, which is contiguous to New York City, on our eastern border. So it's, again, part of the continuum to continuing to improve our ability to communicate. Mr. Platts. The provision of the $6 million certainly is not perfect, and I know it's a challenge to acquire sufficient funds. You've touched in your testimony on the not-unlimited national funds, that we do it in a smarter way. Are there specific examples of where the things that are currently you'd like to see done that stand before Department of Homeland Security or Justice to help fund some of the efforts here that are most critical to your efforts regarding a possible terrorist attack in general or specific to the financial sector? Mr. Kelly. We incurred significant operational expenses to have our counter-terrorism program in place, that is, in essence, overtime expenses. I mention it in my prepared remarks, we spend about $180 million a year, Police Department, that is, to carry out our counter-terrorism functions. That's on top of other overtime expenses that we have in the normal course of protecting this city. What we would like to see is in a general sense more money made available for those operational expenses. Much of the money that we have received is targeted for equipment and we certainly appreciate that and we need it, but we'd like to see if at all possible a broadening of the authority where we would get reimbursement that enables us to pay for operational expenses, particularly overtime expense. Mr. Platts. Your testimony talked about 1,000 officers a day. That's year round you have 1,000 officers involved in training related to counter-terrorism? Mr. Kelly. Yes, sir. Either officers or full time equivalent officers. We've created a counter-terrorism bureau, we expanded our intelligence division. We also have our preparedness program, where we have responses, everyday drills where we take them off of normal patrol duties, have them come to locations--it can be throughout the city, but most of the locations, quite frankly, are in Manhattan, so we mobilize twice a day, we'll bring in as many as 100 radio cars, so two officers will come together twice a day to do that. We then take them, mobilize, and then go to sensitive locations that we're concerned about. They don't go necessarily to the same location every day. We make certain we change the face of what we do, because we are concerned about reconnoissance going on. So that's part of our resource tactic, to make certain we constantly change what we do. But in doing that, and in training, as you say, it requires about 1,000 officers a day. So it's a significant commitment on the part of the city at a time when, right now as we speak, we are 4,500 officers below where we were in October 2000. So not only have we reduced the head count because of budgetary reasons, we are supplying 1,000 officers for counter- terrorism forces. We're happy and it's a credit to the great job that the police officers of the city that crime is continuing to come down. As a result of their hard work, crime is down about 20 percent in the last 3\1/2\ years in New York City. It still takes a lot of hard work, a lot of effort, but we're juggling a few of balls in the air, as you can see. Mr. Platts. I think across the country, I'm not a veteran myself of the military or a member of the law enforcement community and both communities have my great respect and admiration and our law enforcement here at home and the first responders are really the heroes of this war on terror, certainly in New York and the New York City Police Department. In your coordination in trying to be prepared, whether it be communication or manpower, you talked about one, protecting infrastructure, and again, in the financial sector, or people in the--evacuation people if the financial sector was again targeted. How is your coordination with National Guard? One of the challenges we saw in Katrina was how that coordination, Federal, State and local occurred. How often do you train with, interact with National Guard if they were trained to assist with either evacuation or control in New York City? Mr. Kelly. There are actually National Guard troops in New York City now, certainly at Grand Central Station, Penn Station. When we have major events, we activate what we call an emergency operation center in Police Headquarters and we will have representatives from many city agencies, State agencies, Federal, including the National Guard, so they're physically located with us. I must also say private sector security also comes to our emergency operations center. So we're in the business of communicating and coordinating with them, at least the ones--for instance, last, well, it's now, the U.N. General Assembly is ongoing, but a week and a half ago we had the plenary session where we had more world leaders that have ever come to one spot in one building before, it was the 60th anniversary of the United Nations, so we activated that and within that center was National Guard, military, so we do it on a regular basis. Mr. Platts. You mentioned the private sector in your NYPD Shield program, trying to have that communication. How can you describe the buy-in or the involvement of the private sector communities with NYPD? Mr. Kelly. They very much want to be working with us and certainly we want that as well, so there's a very collaborative, cooperative environment that exists in this city. We have had a program, the APL program, it stands for Area Police Liaison Program, it's been in existence since the 1980's, but we've strengthened that. We communicate with the people in that group virtually every day, by Blackberry, e- mail, letting them know what's going on on a daily basis. That program has been ongoing, as I say, and has been strengthened. Now, NYPD Shield is sort of an umbrella program that incorporates that and other programs that we have. It is a proactive attempt on our part to do training, to bring them even closer to us, and it's been very well received. We have a Web site and we keep them informed of an ongoing situation. I said in my prepared remarks, we had a detailed briefing for them on the London bombings, we very much appreciate it. Just recently we had a briefing on the Sharm el Sheikh bombings in Egypt. We had an officer assigned to Israel, he was able to go there, came back with specific information. Showed him pictures, and as I said, we're communicating on e-mail all the time. So that organization has about 1,000 members. But these are security directors. I mean, they're representative of the major corporations in New York City. These are the security people who really are protecting the financial services industry and other industries as well. So I'm very encouraged about Shield and I can only characterize our relationship with the private security and private sector as being a very strong and collaborative one. Mr. Platts. I have some additional questions, but I want to yield. Before I do, I want to note that we're joined by Dean Wexler and I thank her for letting us be here today. As a law school graduate, I'm always hesitant to being in a moot court, I'm used to being out there and being judged, but I guess we're being judged differently today, but I appreciate your hosting us. Mr. Towns. Mr. Towns. I'd like to echo the chairman's thanks, Dean, for allowing us to come in and also like to thank you, Commissioner, for coming. In terms of funding for first response, from the Federal Government, can you describe for us the flaws or barriers that may be inherent with the current process? What are some of the problems that you see in the present process? Mr. Kelly. As Mayor Bloomberg has stated many times and I've gone to Washington and testified that we would certainly support a funding allocation that would base totally on threat. To us it's logical. We see ourselves threatened and we would be the recipient of more funding, with some formula based on threat or at least more heavily based on threat than the existing formulas that were put in place. Having said that, I mean, we need the money, but having said that, the Mayor has made certain that the department is getting everything that it needs, that we need, and he said that on many occasions. This strains the city's budget, though, no question about it. Money, we have to have a balanced budget every year, so the money that's going to the Police Department, the Fire Department, other first responders is being taken from somewhere else in the city's budget. So we believe that a threat-based formula, a total threat-based formula makes sense in the post September 11th world that we live in. Mr. Towns. You mentioned in your comments earlier about communications and of course information sharing. Have the industry stakeholders coordinated their certainly internal efforts with your department? Do you feel that industry has made adequate progress in developing comprehensive security practices that are appropriately based on risk and level of exposure? Do you feel comfortable? Mr. Kelly. I think we can all do more. I think the private sector can do more, but I think efforts are being made, some industries, some companies do more than others. But, generally speaking, the message is out there, and as far as our relationship with them, you know, as I stated before, it's a very cooperative and close relationship. However, I think private, the private sector has gotten the message, but we could all do more. Mr. Towns. Can you describe for us what lessons have been learned from New York PD and the city since 2001 as to the value of having industry and government as partners in information-sharing activities? Are there barriers to adequate information sharing that remain problematic for industry or Government participants? I'm concerned about this flow of information and communications. Mr. Kelly. I believe it's better than it's ever been. As I said, our Shield, NYPD Shield program is all about information sharing. It's very well received by the private sector. We want to get information out, the Federal Government wants to get information out. There's a whole, there's an environment that supports information sharing now as never before in government, so nobody is holding on to information. Nobody wants to be caught holding on to information, quite frankly, so there's a lot of sharing going on. As I said, we had, in the London bombings, it was all public information, but we really got in the weeds with our private security partners, giving them a lot more detailed information than most of them had. And it's our belief that the better informed they are, the better able they are to protect themselves and thereby protect the city. We can't do it alone, that's our message to them. We need your eyes and ears, we need your active support, your active involvement. So I think prior to 2001, sure, I mean, we just didn't see the threat as we should have, but since 2001, it's gotten increasingly better as far as the sharing of information at all levels of government and government with the private sector. Mr. Towns. I yield back, Mr. Chairman. Thank you. Mr. Platts. Thank you, Mr. Towns. On the threat-based allocation, I was just reading your testimony in preparation for the hearing. It gave me as a member from South Central Pennsylvania a better idea of the challenges you face in allocation resources. In my District we have Gettysburg and some national sites of significance and certainly Philadelphia, but given how New York has been targeted not just in 2001, but in some of the intelligence since you referenced, back to 1995, the allocation, it certainly helps me to better understand the importance of that threat-based allocation approach. When we were here for the convention last year and had a chance to visit the Police Museum, times have changed from some of what was shared in that museum to today. The fact that there are seven officers deployed in other countries, being out there, proactive in your intelligence efforts is quite a difference from 100 or so years ago. One of the issues touched on about intelligence gathering and sharing intelligence, certainly within New York City and all your efforts, Federal, State and local, private sector. In Washington, one of the changes we made from September 11th was the Patriot Act, which was to allow information to be shared between those communities; intelligence gathering and law enforcement. Are you able to share specific examples of how the changes we made at the Federal level helped you at the local level here in New York regarding intelligence gathering because of those statutory changes of the Patriot Act? Mr. Kelly. Well, the Patriot Act helps the Federal Government, helps the FBI gather information, also exchange information or use information internally. It eliminated or greatly reduced the wall that existed in the FBI, for instance, between intelligence gathering and criminal investigation. So I know it's helped. I can't give you specific examples where it applied to New York City, but I can only assume like in certain cases, for instance, well, the Peracca case which I mentioned in my prepared remarks, I can only hope that helped in the investigation itself. It eases the flow of information, to me that's a good thing, inside the Federal Government. Mr. Platts. Thank you. The private sector and the various efforts that you have ongoing, reaching out to them, is there any financial contributions by the private sector to the city of New York or to the NYPD specific to acknowledge that there's a benefit to those private sector partners as well, maybe in a greater sense in some of your efforts, because it's really targeted, say, specifically to the financial sector, are there any resources that are allocated by them to your efforts? Mr. Kelly. Of course, they would argue that their taxes are their contribution. Mr. Platts. I would readily agree with them, but it's always good to ask if they want to give more. Mr. Kelly. I can give you one example, though, that there was a contribution. That's with the protection of the New York Stock Exchange. I mentioned again in my prepared remarks how certain intersections are protected by individuals trained by the NYPD. Well, they're paid for by the New York Stock Exchange. They also pay for some paid detail police officers that we have assigned there, but we have active duty on-duty police officers working there as well. We have significant resources devoted down there, but they're paying for that heightened level of security there, and of course you could argue that as we bring together security folks throughout industry and the financial services industry and we sort of task them in an implicit way to do things for us, that they're contributing. But that's the only hard example that I can give you of contributions where the New York Stock Exchange had paid significant amount of money for protecting the area around the Stock Exchange. Mr. Platts. And I think a good example of that partnership, public and private. I want to conclude in your testimony, you talked about continuing to adapt, especially with the business community here in the city with the coordination center between law enforcement and private sector and the need for Federal support for that initiative, and I assume that means funding support. I want to give you the opportunity to expand with Treasury and Homeland Security who is here, and the two Members that are here, maybe a little bit about what that is and the importance of it. Mr. Kelly. Yes, sir. The Freedom Tower is going forward at the 16-acre site of the World Trade Center. There will be other structures put in place there. Goldman Sachs has agreed to build onsite 26, which is right across from the Freedom Tower, so there's going to be a significant increase of people in the area and development, of course the financial services sector is going to be well represented. As that development goes forward, we are committed, the city is committed to putting in additional resources in the area that will involve both personnel, but also technology, and we're studying that now and moving forward with it. One of the plans that we have as that goes forward is to put in place, as I said, a coordination center, where we would have not only appropriate law enforcement agencies there, for instance, Metropolitan Transportation Authority, Port Authority, our own police personnel, Fire Department, but representatives from the stakeholders that will be there; the private sector security, and we envision that would be a 24- hour coordination center, and we've talked to industry leaders, they're enthusiastic about all this. But that's kind of our overall plan. It's going to be expensive. We think it's important for us to provide additional protection in that area. Now, it will not only be limited to that area let's say, below Chambers Street. It will also be somewhat north. Some of the things we're doing now are under our Operation Atlas, as I said, we mobilize twice a day and send our units out to sensitive locations. We use some of these resources to do that, so it will be--it will help us in doing some of the coverage that now we're taking directly out of patrol resources and other parts of the city. So that's kind of the overall plan. Yes, we certainly would like to have Federal resources to help whenever it could. Mr. Platts. Thank you. Mr. Towns, do you have other questions? Mr. Towns. Yes, I do. Thank you very much, Mr. Chairman. The recent disaster in the Gulf Coast region demonstrates for us that major events do not have to be terrorist-related to have significant consequences. Have there been any significant efforts made by the New York City Department of Police or the city itself to establish evacuation plans for, say, Wall Street or lower Manhattan in the event of a major physical disaster? Have State and regional stakeholders, such as Port Authority or MTA, been proactive in developing a comprehensive plan to move large volumes of people away from the disaster area in a safe and timely fashion? I guess the last part would be how can the Federal Government assist you in that process. Mr. Kelly. We do have very comprehensive evacuation plans. Evacuation plans are coordinated by the Office of Emergency Management, but the Police Department plays a significant role in carrying out those plans. We provide assistance in evacuations, going to areas that may be evacuated. Search and rescue would be part of the functions we would provide. We have a coastal storm contingency plan and we have an evacuation plan for the entire city. The city is divided into 150 sectors, and there are elaborate plans for that. As a matter of fact, Commissioner Bruno, the head of the Office of Emergency Management is testifying right now at the City Council on those plans. As far as the other stakeholders are concerned, yes, the Office of Emergency Management works with the Port Authority, MTA. Obviously MTA would provide a significant amount of the transportation used to evacuate areas of the city. We have, as you well know, Congressman, a very large public transportation system in the city; subway and buses. The MTA would be an integral part of any evacuation plan. Port Authority as well. As far as Federal Government assistance, I can't think of anything specific. I'm sure Commissioner Bruno can think of it, but I can't think of anything that comes to mind for me other than any resources that could supplement what we're doing, anything that could help in the movement of people in a major evacuation, but we are, we have plans to evacuate every sector of the city, not just the financial district in lower Manhattan, but I must say that area is in one of the flood plans. If you look at our coastal storm contingency plan, you'll see it's prefaced on certain assumptions; Category 1, 2, 3 and 4 storms. It does not go up to 5, but it does go up to 4, and there are flood areas in, say, lower Manhattan, that would be impacted by even a Category 1 storm. So there are plans to have an evacuation and also plans to provide services in that area, if something like a large storm hits us. Mr. Towns. Let me say, Commissioner, we really appreciate your involvement in the kind of information that you shared with us in Washington, you know, but we need to sort of do a little bit more to make certain they fully understand. Because when I say to my colleagues in Washington that you have 1,000 police officers involved in counter-terrorism and they, knowing the Police Department is not even 2 percent the size of that, it's hard to communicate with them what this really means, the impact of it. Do you have any ideas or suggestions of what you might say to us or give to us that we may further take back to our colleagues to try to convince them that New York is unique in so many ways, and that this is the financial capital of the world and that New York is a place that we need to make certain that is protected in every way. So do you have anything that you might want to share with us further that we might be able to convey to our colleagues? Mr. Kelly. I think every part of America, indeed, significant parts of the world would be adversely affected by another attack in New York. We know that al-Qaeda's goal is something bigger and better than September 11th. They're not looking at small bar events in this city, they're looking for something larger, and it's been stated in a lot of different ways. So anybody who thinks that it just affects New York City or New York State is mistaken. We're protecting, as I said in my remarks, national assets. We're protecting assets that if they're attacked, will have an adverse impact across the world. You look at the things I mentioned. Look at New York Stock Exchange, you look at American Stock Exchange, NASDAQ. You look at the financial services industry headquarters that we have here. We have an attack here against any of those institutions, it will reverberate throughout the world, and certainly throughout America. So I think that's the message that has to go back to Washington. We understand that people are concerned about their districts, that's what they're in Washington for. But you also have to look at the bigger picture. Because if we're struck here, it's going to hit in some way, shape and form, every congressional district in America and it's going to hit in a very hard way. The next event, God forbid, if there is one, is going to be, unfortunately, at least in their planning cycle, their planning minds, much larger than the last one. Mr. Towns. Thank you. I yield back. Mr. Platts. Thank you, Mr. Towns. Thank you, Commissioner for your insights. I appreciate certainly your current service here in New York, but I also mark your great service as a combat veteran in Vietnam and your 30 years in the reserves. As a fellow citizen, I'm personally grateful for your dedication to all of us citizens. Mr. Kelly. Thank you very much. Thank you, Mr. Chairman. Mr. Platts. We'll take about a 2-minute recess here while we get our second panel: Mr. Parsons, Caverly and Muccia. Thank you. [Recess.] Mr. Platts. We'll reconvene here and again we're delighted to have our second panel here: Mr. Scott Parsons, Deputy Assistant Secretary, Critical Infrastructure Protection and Compliance Policy, Department of the Treasury. Glad to have you with us. Mr. James Caverly, Director of the Infrastructure Coordination Division, Department of Homeland Security and Mr. James Muccia, first deputy superintendent of banks. Now that you're all seated, if I could ask you all to rise, we'll swear you in and proceed with your testimonies. [Witnesses sworn.] Mr. Platts. You may be seated. The clerk will note all three witnesses affirmed the oath. We'll proceed first with Mr. Parsons. If you'd like to begin, and again we'll use roughly a 5-minute guideline, but we're glad to hear your testimony in full. STATEMENTS OF D. SCOTT PARSONS, DEPUTY ASSISTANT SECRETARY, CRITICAL INFRASTRUCTURE PROTECTION AND COMPLIANCE POLICY, DEPARTMENT OF THE TREASURY; R. JAMES CAVERLY, DIRECTOR, INFRASTRUCTURE COORDINATION DIVISION, DEPARTMENT OF HOMELAND SECURITY; AND DANIEL MUCCIA, FIRST DEPUTY SUPERINTENDENT OF BANKS, STATE OF NEW YORK BANKING DEPARTMENT STATEMENT OF D. SCOTT PARSONS Mr. Parsons. Thank you very much. Chairman Platts, Ranking Member Towns, thank you very much. We really appreciate the opportunity to be here today to testify on the financial services sector preparedness to handle a wide scale disruption. Mr. Platts. Mr. Parsons, do you mind holding that a little closer? I can hear you, but I'm not sure if everyone can. Thank you. Mr. Parsons. I am pleased to tell you that the financial sector has made tremendous progress to insure its resiliency to withstand both man-made and natural disasters. President Bush has led the development and implementation of an effective program to defend our country's critical infrastructure. The financial services sector plays an indispensable role in the Nation's economic system, providing individuals, businesses and the government with credit and liquidity, short and long term investments, risk transfer products, various payment systems and depository services. It enables people to save for their education, their retirement, to purchase their homes and to invest in their dreams. The financial services system is essential to America's overall economic well-being. I note that we have experienced a number of events in recent years that test the resilience of the sector. The attacks of September 11, 2001, the power outage of August 15-16, 2003 and the elevated threat level for the financial sector of August 2004 have all tested the preparedness and resolve of the financial services sector. Most recently, Hurricane Katrina caused unprecedented devastation in multiple States. Yet the financial system has survived each of these events and through hard work and investment becomes stronger and better able to withstand such disruptions. The President has mandated that the Federal Government work closely with the private sector to protect the Nation's critical assets and infrastructure from major disruption. An important and unique insight that guides this strategy is that nearly all of the financial infrastructure is owned by the private sector, and, therefore, the success of our protective efforts depends on close cooperation between the Government and the private sector. On December 17, 2003, the President issued Homeland Security Presidential Directive No. 7 which establishes a national policy for Federal departments and agencies to identify and prioritize U.S. infrastructure and key resources and protect them from terrorist attacks. HSPD7, as it's known, recognized that various departments and agencies have specific knowledge, expertise and experience in working with certain sectors. Therefore, this directive provided for sector specific agencies or lead agencies for given sectors and the Department of Treasury has been designated as a sector specific agency for the banking and finance sector. It is under this designation that Treasury collaborates with appropriate private sector entities and other governmental agencies to encourage the development of information sharing and analysis mechanisms and to support sector coordinating mechanisms with the purpose of, No. 1, identifying, prioritizing and coordinating the protection of critical infrastructure, and, No. 2, to facilitate the sharing of information about physical and cyber threats, vulnerabilities, incidents, potential protective measures and best practices. Secretary Snow has a very strong commitment to insuring that the financial system continues to serve all Americans. The Nation's economy has been a constant target of terrorists who wish to do us harm. A consistent part of the rhetoric from Osama bin Ladin and others is the overall ideology to attack our Nation's economy, to attack the financial system to support it and to try to do us harm in this manner. Secretary Snow has tasked the Treasury Department's Office of Critical Infrastructure Protection and Compliance Policy to be responsible for developing and executing policies affecting both the physical and the cyber security of the U.S. financial system. The majority of these efforts require close cooperation and partnership with the public and private sector, and there are a number of important groups that we work with to achieve this end. One is the Financial and Banking Information Infrastructure Committee. This is a body of all of the Federal and State financial regulators and the Treasury Department is the Chair of this committee. The second is a private sector body, the Financial Services Sector Coordinating Council. You'll be hearing from the Chair of the FSSCC, as it's known, later on this morning. We also utilize an important information sharing mechanism called the Financial Services Information Sharing and Analysis Center or the FS-ISAC. That is a body that is run by the private sector with the sole purpose of disseminating critical physical and cyber threat information to the financial services sector members. And last, I would mention an important development, something that we think holds great promise and that is the creation of regional coalitions. I note specifically, Ranking Member Towns mentioned the futures industry. The first coalition of this nature is called ChicagoFIRST. It was based in Chicago with the recognition that the futures industry plays a prominent role in that city, and its goal by its members was to advance homeland security protective measures, specifically with local emphasis on it. We believe that this was a great model and we were able to partner with several other entities, including BITS, to document the steps that went into creating this and we've since published that document. I'm pleased to tell you that there is considerable focus on this initiative within the Department of Treasury and we are close to seeing some new announcements for new regional coalitions that will involve not only those on the east coast, but hopefully the west coast as well. With that, Mr. Chairman, I conclude my opening comments. [The prepared statement of Mr. Parsons follows:] [GRAPHIC] [TIFF OMITTED] T6505.007 [GRAPHIC] [TIFF OMITTED] T6505.008 [GRAPHIC] [TIFF OMITTED] T6505.009 [GRAPHIC] [TIFF OMITTED] T6505.010 [GRAPHIC] [TIFF OMITTED] T6505.011 [GRAPHIC] [TIFF OMITTED] T6505.012 Mr. Platts. Thank you, Mr. Parsons. Mr. Caverly. STATEMENT OF R. JAMES CAVERLY Mr. Caverly. Mr. Chairman, Mr. Towns thank you for having us here today. What I'd like to do is summarize my comments and enter my statement into the record. As we're all aware, protecting the Nation's critical infrastructure is really a partnership and it's a new kind of partnership between the owners and operators of that sector. Most of them being in the private sector and then State government, local government and Federal Government. Your panel of witnesses today I think does a great job of exemplifying exactly what kind of partnership needs to be there to insure that the Nation's critical infrastructure is protected the way we need to protect it. Clearly, the events of September 11th, the power outage of 2003, then the casing reports heightened financial alerts in 2004 identifies the impacts that terrorism or threats of terrorism can have to the financial communities of this country and as Police Commissioner Kelly said, those impacts will reverberate across the country. The Department of Homeland Security really has three principal objectives when dealing with critical infrastructure. One is to provide the resources and training to State and local government and law enforcement training for security enhancements. The other is to provide information to those various levels, whether they're the owners and operators of the individual components of the Nation's infrastructure, to local level law enforcement, State law enforcement and then across the Federal partnership of the kind of information that is necessary for each of those people to create risk assessments and react appropriately within the environment in which they're responsible for. And then underneath that is the creation of a fluid and viable information-sharing mechanism that will allow us to get the information quickly out to the points of decision and bring back information into the analytical framework that allows to us look at this as a total picture. As Mr. Parsons identified, the President's directive to his cabinet contained in HSPD7, Homeland Security President's Directive 7, a key component of that is asking members of the private sector to create a framework in which we can deal with the sector as an entity. The financial services sector was the first sector to come across and create a single entity called the Sector Coordinating Council, and you'll be hearing from Mr. Donahue the head of the FSSCC later. Looking at that and looking at what was done in Treasury with some activities of our own, we implemented the National Infrastructure Protection Plan a framework across all of the sectors to create a set of sector coordinating councils and government coordinating counsels that will allow us to act on this partnership. We believe the financial services has shown us a great way in which to build this framework. The other thing that HSPD7 directs the department to do is develop a National Infrastructure Protection Plan that is looking at setting security goals, identifying assets and assessing new risks. The NIPP plan was put out in a base plan in February of this past year. The next version will be coming out shortly. Once we get the base plan out in the next short timeframe, we'll begin working with each of the critical infrastructure sectors to develop a sector specific plan that focuses on each of the sectors and the activities the various players have to do both at Federal, State, local and also private sector level. A key component of one of the things that the department is working on is a risk assessment methodology. Secretary Chertoff has made risk assessment a key component of his program to enhance the Nation's critical security infrastructure. We developed a Risk Assessment Methodology for Critical Asset Protection [RAMCAP]. As we implement and develop the data inside, it will allow us to assess the risk across the infrastructures and do it comparatively. Because of the connected nature of the infrastructure, this is very, very important. As I said earlier today, the panel here reflects a good level of the coordination and integration that needs to take place. We believe that the activities of August 2004, which led us to heighten the Homeland Security alert level in New York and Washington in the financial services sector is a very good example. As the intelligence was developed, we began working very closely with NYPD and the owners and operators and security directors in specific facilities that have been surveilled. We were able to take very quick and appropriate action across not only the responsibility of what local law enforcement and Chief Kelly were able to do, but also the owners and operators were able to do and share information. We think that is an example of exactly how this partnership should work because each of us has certain responsibilities in the framework. One of the things about the financial services sector is the redundancy that is built into the system. Because of things that happened in the financial services sector in the 1980's and 1990's, when in fact it lost power in lower Manhattan and when it lost telecommunications at certain times, it built resiliency into its system. It has a very, very robust, resilient system to allow it, as the chairman pointed out, to resume its financial operations quite soon after taking a serious blow. We think that's important. The national communication system is part of Department Homeland Security and we're working closely with the financial services sector to insure the telecommunication backbone for their information flows has the kind of resiliency and redundancy necessary to insure that no matter what happens the transactional part of that connectivity can continue. One of the most important parts is a program we call ``route diversity methodology.'' It insures as you look at the networks of the telecommunications that in fact all transactions are moving across a very diverse network, as opposed to being funneled into single hubs and therefore building a resiliency outside of that. The last thing I'd like to make a brief comment about is Homeland Security Information Network. It is a framework the Department of Homeland Security is deploying that will allow us to connect to the various groups, whether regional groups or things such as the Financial Services ISAC. It is a cohesive network that allows a sharing of information not only inside the sector, but across sector lines and also across jurisdictional lines to insure that the information part that flows either to or from the Department of Homeland Security is accessible, whether it's law enforcement information, first responder information or information that we receive from the private sector. With that, Mr. Chairman, I'll take your questions. [The prepared statement of Mr. Caverly follows:] [GRAPHIC] [TIFF OMITTED] T6505.013 [GRAPHIC] [TIFF OMITTED] T6505.014 [GRAPHIC] [TIFF OMITTED] T6505.015 [GRAPHIC] [TIFF OMITTED] T6505.016 [GRAPHIC] [TIFF OMITTED] T6505.017 [GRAPHIC] [TIFF OMITTED] T6505.018 [GRAPHIC] [TIFF OMITTED] T6505.019 [GRAPHIC] [TIFF OMITTED] T6505.020 Mr. Platts. Thank you, Mr. Caverly. Mr. Muccia. STATEMENT OF DANIEL MUCCIA Mr. Muccia. Thank you, Mr. Chairman, and Congressman Towns for allowing me to submit this testimony to you today on the current status of financial market preparedness for wide scale disasters or disruptions. I will briefly summarize the key points contained in the department's written testimony. First, I do not believe that the financial regulatory community or the banking industry have become complacent. The stakes are too high, and the reminders too frequent. Certainly, if there was a threat of complacency setting in, the recent catastrophe in the Gulf Coast and New Orleans has served as a powerful reminder that we can never be too prepared. Second, effective communication and coordination between State and Federal banking agencies is essential to rapid recovery. From our perspective, the protocols set in place by the Financial and Banking Infrastructure Information Committee, which Mr. Parsons chairs, or FBIIC, have proved to be effective in improving communication and coordination. We understand from our fellow State regulators in Louisiana that coordination with their Federal counterparts in response to Katrina have been excellent. We at the New York State Banking Department know how valuable that communication and coordination is, as it was tested both during September 11th and the August 2003 power blackout. Third, our assessment of the readiness of the New York State banking institutions we directly supervise is based on our ongoing supervision and onsite examination programs. Overall, our examiners are giving good grades to our institutions. The small number of institutions that are considered critical to the system are being held to a high standard of business resumption capability and are expected to meet current supervisory standards and targets. The vast majority of non-critical institutions have adequate plans and those missing the mark are in the process of correcting deficiencies. One area that we will be focusing on in the near term is testing. More testing of business continuity plans is needed. Test results need to be more carefully and vigorously audited and the scope of testing needs to be widened. We are discussing how to achieve this with the Federal banking agencies that share our supervisory responsibility over our institutions, and I expect formal guidance will be issued in 2006. Finally, we recognize that business continuity planning is a continuous process that requires our constant vigilance and attention. We are committed to insuring our institutions are as prepared as possible and thank Congress and this subcommittee for your continued support and attention to this critical challenge. Thank you. [The prepared statement of Mr. Muccia follows:] [GRAPHIC] [TIFF OMITTED] T6505.021 [GRAPHIC] [TIFF OMITTED] T6505.022 [GRAPHIC] [TIFF OMITTED] T6505.023 [GRAPHIC] [TIFF OMITTED] T6505.024 [GRAPHIC] [TIFF OMITTED] T6505.025 Mr. Platts. Thank you, Mr. Muccia. I appreciate each of your testimonies. Each of you I believe in your written testimony and here today referenced an August 2003 blackout. It was in a sense the first major test after September 11th here in the New York area. The blackout was also a test especially throughout the northeast of how our new coordination was going to work. I'm interested if each of you would want to share your perspective of how your organization responded. Also, what will be especially informative is the things that didn't go as you expected 2 years after September 11th. Mr. Parsons. Sure. Our observation is, as you noted, Mr. Chairman, the power outage was indeed the first real test of the mechanisms that we put in place after September 11th. We felt they worked very, very well for a couple of reasons. One is it was critical to get information out to the sector as quickly as possible, and it had to be an exchange of information. We knew there was a blackout, but we also wanted to find out what was happening in New York City. Those mechanisms worked very well. The communications that we had built in were very effective in ascertaining the situation and within 15 minutes or so we had a good understanding of what exactly was going on. I would also note that they were instrumental in being able to help spread the word as quickly as possible. This was in fact not a terrorist incident, which I think was very, very important for everybody at that time to understand. Additionally, it enabled us to convene, for example, all of the financial regulators to look for any problems that we may have had. If there were any imbalances created due to the time of the incident, thankfully it came after the closing of most of the major markets. Were there any things or actions that we needed to do to immediately from a regulatory standpoint, and then also in working with our private sector coordinating body, the FSSCC, we were able to identify any needs that they may have had very quickly. I think it's important to note that the financial sector is extremely resilient and most of the firms here have well- drilled, well-thought-out backup emergency plans. Nonetheless, we used this mechanism to find a couple of examples where we needed to intervene. One example of that is at the American Stock Exchange. It needed a new generator so they could cool its training floor. While working with the New York Office of Emergency Management, we were able to coordinate the delivery of that to help the AMEX get back on line quickly. Very briefly, I would say there were some lessons learned for us. One of them is the interdependency that we have on other sectors. You heard Mr. Caverly talk about telecommunications. That's a very big concern for us in financial, but we also learned, for example, the need to resupply generators to--if we were going to have a sustained outage, and we have subsequently through the FSSCC convened meetings with other government agencies like the Department of Energy and the Department of Transportation to discuss these and other lessons that we learned not only from that event, but from other pieces of our thinking on this as well. Mr. Platts. Thank you. Mr. Caverly. One of the things that it did was reinforced the critical role that information sharing plays. There were existing mechanisms prior to the creation of the department; relationships between telecommunications and electricity specifically because of their interdependency nature. Based on the activity that came out of that, DHS has set up the National Infrastructure Coordinating Center, to provide transparency. The lesson that moved us in that direction was that on Friday morning after the blackout, as we were talking to the telecommunications and electricity people, the electricity people pointed out that power would not come on in Detroit until Sunday. The telecommunications people identified that presented a significant program for their wireless nets, because most of them depended on batteries, some on generators. They recognized they needed to bring more generators in as well as resupply the fuel to the generators that were there, but they didn't have existing relationships with suppliers. We were able to take them and connect them up with the Michigan State Energy Office who knew all the suppliers and could quickly make sure they had the supply they needed until the power came back on. It's that kind of transparency and sharing of information that's critical to a situation like that. The media gives us some heads up, but there are things that come from the operating parts that the owners and operators know and we need to create a better more fluid forum. The NICC is the process, and as we built the connectivity it provides the capability for those extraordinary communications that have to take place in a crisis. Mr. Muccia. I would agree with Mr. Parsons in terms of the overall connectedness of communication. I think one of the things that happened was some of the protocols we put in place that we learned sort of ad hoc on September 11th we got to use in the blackout event. It was a more formal structured way of communicating that helped get the word around more quickly. Our institutions did very well. So overall in our department we exercised our plan and had representatives at the Federal Reserve in New York. We were in contact with SEMO and New York OEM. So overall, it worked very well. Mr. Platts. The lessons learned in that coordination, for example, the fuel to the generators to control and identify quickly what the problem was, how did working with utilities, what was the cause for that? I think you're right to get the word out quickly to the public that this is not a terrorist attack. It was a infrastructure breakdown basically. I didn't learn it as quickly as the rest of the country, because I was tent camping in the Northwest at the time. I learned about it a day late I think, behind everybody else. I was removed from civilization with my wife and kids. But in getting a handle of what did happen and how quickly word did get out, given that the utilities are private sector, how did that happen? You needed to learn here's what happened, why it happened and then share that publicly. Mr. Parsons. The first thing we determined very quickly is that this is not an act of terrorism and that was simply done by--I guess it would be a collection of information that flowed in all at once. Mr. Platts. Was it the private sector coming forward too? Mr. Caverly. It was. Mr. Parsons. Both. Mr. Caverly. To some degree you can understand the structure--the North American Electrical Reliability Council, which sets the reliability standards for the electric industry is a central point for information. They were on the phone by 3:30 that afternoon identifying the cause of it, which was a rolling blackout caused--they didn't know initially what caused the system to start tripping out, but they were able through their reliability coordinators in the reliability region to identify that's how it happened. Then you went back to the operating center. So they built the picture quickly of what the cause was, being able to talk. So the information comes out of them very, very quickly into the system. Remember, it is a regulated industry, so the reporting requirements are a little more structured than some other parts of the private sector. In that case the information came out of it, as well as the reporting you were getting in the media--there was no report of explosions or other such things. Mr. Parsons. Mr. Chairman, it was also useful again to hear from people in the affected city who were saying, ``we don't see any explosions, we just see the lights have gone out. There's no smoke, there's no fire.'' I guess I would answer that it was kind of information flow both ways, to and from. Mr. Platts. Mr. Muccia, you mentioned that you worked with SEMO here in New York. Would that have been the case prior to September 11th, your involvement, the Banking Department, immediately, being part of that Statewide effort in responding? Did that change because of September 11th or would that involvement of the Banking Department be there already? Mr. Muccia. It really changed I think to a significant degree with preparations for Y2K, where we really--we always had it there, but I think in terms of taking it more seriously and being more prepared, it started with Y2K and certainly September 11th really brought it home. Mr. Platts. Obviously, there's an endless list of efforts we could engage in and you've each highlighted some very important ones that your organizations are now pursuing. There's not an endless sum of money out there, and so you need to be smart. Last, we had a hearing on managerial cost accounting in trying to make that cost benefit analysis on the Federal level in that case in two or more departments; Veterans Affairs and Labor. In what way does that go on with your respective organizations that you're trying to do that kind of cost to benefit? It kind of relates to the Commissioner, the threat- based provision of funds, but internally in your organization, how do you go about that? Mr. Parsons. That's a very good question. We do have a limited sum of money and as you noted, we could spend freely, but we can't do that. So what we try to do is we try to take a risk-based approach to our efforts at the Department of Treasury. What we've first done is working with the other financial regulators, we've identified the wholesale clearing payment system, which is really, if you really think about it, it is the series of mechanisms and institutions that really make the financial system work, and we've chosen to direct our efforts to those entities, believing that we will get a huge return that will in fact create a cascading effect and that other firms will benefit from this knowledge and our efforts there. We've embarked on a testing regime which is not focused on simply doing a test, it's really focused on doing a plan, and that plan involves the State and local officials and the affected institution, the institution that we've all collectively identified or the series of institutions. So it's very targeted and at the end of the day we have a plan that not only involves one center, but involves many of the operating capacities within these given institutions. So I guess I'd summarize by saying you really have to take a risk-based approach in thinking about where will we get the best return for our dollars, and we do think about it before we accentuate programs. I would also add through our partnerships with the regulators and with the Financial Services Coordinating Council we get a tremendous scale to our investment and it reaches a vast majority of the financial sector. Mr. Caverly. Secretary Chertoff is devoted to a risk-based approached in vulnerability and consequences related to the infrastructure. As you can imagine, the department has to look across all 17 critical infrastructure sectors. The RAMCAP methodology that I mentioned earlier allows us to look at the risks associated across the sectors and ultimately prioritize and allocate across the sectors the limited resources that are available. It doesn't do us particularly good if you have the best and most resilient systems in the financial services sector and you haven't accounted for the risk to transportation or telecommunication risk or cyber risk. So we have to look across all those components of a very intertwined infrastructure and prioritize our assets on a risk basis, so in fact we make the system resilient. Mr. Muccia. We also use a risk-based approach in terms of our supervision and examination and key to that is really our program of CPC's or resident examiners at critical institutions that we share responsibility with the Federal Reserve or the FDIC, depending on the institution. So we leverage off each other in terms of sharing resources, responsibilities with the Federal banking agencies and we use resident examiners on those key institutions to stay in touch and in focus and we leverage off work. We can't do it all ourselves, even the Federal banking regulators can't. We leverage off the work done by the businesses themselves, utilizing their internal audit reports and their external audit reports and their internal policies and procedures. Mr. Platts. You mentioned in your answer about RAMCAP. Where do we stand in that development deployment of that? Mr. Caverly. The framework for the methodology has been developed across the spectrum. We are now doing modules across each of the sectors. Obviously, that methodology is important as we develop the NIPP plans for each sector-specific agency. So those are scheduled to be completed later this fall for each of the sectors. Mr. Platts. Thank you. Mr. Towns. Mr. Towns. Thank you very much, Mr. Chairman. Let me begin with you, Mr. Parsons. You talked about a regional coalition and of course you talked about ChicagoFIRST. Many people are saying that methodology should go further than Chicago, because there's extra cost involved. My question is, ChicagoFIRST, I thought it should be New York First, but that not being the case, could you tell us in terms of the makeup of that and what it's all about and is it true that the reason you're having difficulty moving it forward is because of the additional resources that would have to be allocated in order for it to be a reality. Mr. Parsons. Congressman Towns, I can tell you, ChicagoFIRST is an interesting story. It started out with two participants for large firms there who said, hey, we feel like we're not getting adequate representation to the local level, at the local level for what the financial services sector really needs. And that conversation led to an idea which in turn led to collaboration and the result of this over a period of time, including with the encouragement of the Department of the Treasury was the establishment of ChicagoFIRST. I can comment on a couple of things related to funding. One is, it is a self-funding organization. That is, its members have agreed to pay dues to fund its effort. They have appointed an executive director who is a full time employee and who coordinates all of their activity. They also have a president and they have a board of directors that oversees their operation. So I don't believe that in the case for ChicagoFIRST that funding has become a tremendous issue at this moment in time. What I would add, though, is we've been working actively to encourage the creation of other organizations like ChicagoFIRST in other areas of the country, and we believe they're extremely useful. I would note it would have been very helpful, for example, to have sort of a single point of contact that represented the financial services sector in New Orleans as we worked for the recovery of Katrina. I think our mechanisms are working well. This would have simply augmented and made our flow of information and our exchange of needs and ideas more effective. So we are hopeful that we're going to have, in fact, we plan on having an announcement on October 13th about the formation of a new organization in Miami. We hope to have additional organizations as well. Mr. Towns. Let me ask you, will you provide additional money or resources to move this forward? I know you said there's the different companies, agencies put money in, but are you willing to also put additional resources in in order to make it a reality? Mr. Parsons. That's a great question. We at this time, we have not planned for specific investments toward the establishment of these organizations, other than our work to go down and share with them the documents I referenced in my opening remarks and written testimony that we partnered with BITS on, a how-to model, a how-to cookbook, if you will, to establish these organizations. What we have done, though, and we've done this twice with the case of ChicagoFIRST, is we have funded an exercise with ChicagoFIRST as the point to test various aspects of response, recovery and generally trying to identify needs within the community, and I would tell you that we would plan on doing that for the other regional coalitions as well. Mr. Towns. There seems to be a lot of excitement around ChicagoFIRST. I just want to share that with you. I think that's important. Mr. Caverly, as the department moves forward with its reorganization under Secretary Chertoff, can you describe for us how the new structure of DHS will improve the agency's efforts to strengthen critical infrastructure protection activities? Will these new government structures have adequate authority and attention from the Secretary? How do you anticipate the new Office of Intelligence and Analysis improving upon the sharing of information between public and private sector participants, such as the financial markets? And also, I guess in terms of the issue of privacy, has that popped up? Mr. Caverly. Let me answer the question somewhat in a bit of reverse order. On the privacy issue, privacy always remains a critical concern of the department, because as you look for the information that will help you do--identify the strengths, identify indications and warnings, we always run into the risk of having information on U.S. citizens that cause problems with existing privacy laws. So we're working very, very hard to insure that we get a robust information analysis system that doesn't violate the rights and privileges of the American citizens for the privacy of their personal information. So we work at it. It does present certain problems that each of the units within the department have to work with based on the kinds of information they need to build the picture that allows them to assess risk, identify threat. Relative to the Secretary's reorganization, I think if you look at it, the new rules proposed under the Secretary for preparedness if you think about it, protection is a seamless framework that goes from preparedness through protection to response and recovery. Because if you can respond and recover as quickly and efficiently as possible, you reduce the impact, reduce the consequences of an event, whether a natural event or man-made event, terrorist event. So what the secretary has done in that case is combined into one unit the responsibility for the preparedness which the administration recognizes in HSPD8 the responsibility for protection or prevention, if you want, in HSPD7 and the response and recovery which is in HSPD5. So he brings together a framework that has both the preparedness planning, the infrastructure protection planning and, obviously, the national response plan all into one framework. The other thing I think that the Secretary's reorganization recognizes is there's a vast span of responsibilities in agencies of the department, and what he's really set up is a framework that allows the coordination and the sharing of information and the transparency necessary so that those various responsibilities resting with individual agencies and organizations can complement each other and not duplicate. Mr. Towns. Right. Thank you very much. Mr. Muccia, let me ask you, sharing information about potential threats is viewed as a critical step in helping to insure the financial institutions are better prepared to protect their operations from disruptions. How is your organization assisting in providing such information to financial institutions? I would assume that an electronic attack could easily be targeted on a small institution just as it could a larger one. Are there additional barriers you can identify for us in regards to effective information sharing practices that are the potential solutions to this problem? Mr. Muccia. Thank you, Congressman. You mentioned cyber attacks and New York has a cyber security office that concentrates on those threats and gives advice to the industry, and one of the mechanisms we actually have set up is a collection of those types of events that gets centralized at the New York office and then scrubbed of identifying information and then put out to the industry so they're aware of what types of attacks are going on. In terms of information sharing, in terms of a crisis, we have a number of points of contact, where we will establish communications. One of them I already mentioned before, that is indeed our resident examiners at individual critical institutions. For all institutions, including the small ones you talked about, we have numerous contacts available to them. Obviously, they kind of depend on the telecommunication system working, but we have obviously contacts through cell phones, Blackberry, we have some satellite phones available to the department, so in terms of the infrastructure we have as many different varieties; Internet, available. If our offices in New York City--and we will reach out, part of our plan is we like to be proactive and reach out to institutions to find out what's happening--if we're disabled in our offices downtown, we switch to our offices in Albany. If we need to reactivate our hot site within 24 hours, if we have to do that, we have numerous points of contact. We also have examiners who have given their contact information, their home phones and so forth to various institutions, so we have a number of ways of doing it and then with our programs of having representatives at the State Emergency Management Office at their operations center, at the New York City OEM office and at the Federal Reserve Bank of New York, we therefore have numerous points of getting into contact. Mr. Towns. Thank you very much. Let me just ask all of you down the line, starting with I guess you, Mr. Parsons. You always hear about communications, sharing of information, coordination, you always hear this. Is there anything that Members of Congress can do to improve or facilitate that in any way? I know you guys hate for you us to stick our nose under the tent, I understand that. Mr. Parsons. Congressman, that is truly an excellent question. You know, we've put a lot of effort, as you noted, to information-sharing mechanisms. I would note here today that Director Caverly is working very hard on the further creation of the Homeland Security Information Network, which we wholeheartedly support and we think that's going to be an excellent mechanism. It will complement other things that we have currently in place. Honestly, I think at this point I don't have a good answer for you, other than to say nothing comes to mind. Mr. Towns. Right, OK, thank you. Mr. Caverly. Congressman, I think there are two things. One is something, not something Congress can fix, but is just getting the two institutions, government and the private sector to understand the information needs on both sides and be able to transfer them into something that's useful to them. The intelligence community presents information in a certain way that is understandable to professionals that have dealt with them for a long time, but not potentially understandable to a security director who has not been engaged with them for a long time. Our job is to find ways to do that and we're working very much on. I think the other issue, I think this is one where the legislative entities across the country, whether they're local, State or Federal, need to continue to search for the right balance between the need to have sensitive information protected so that it's not in the public domain versus the public's right to have the information it needs to form judgments. There's a delicate balance, but we're moving into an area where the information needs to be shared between the owners and operators, the infrastructure and the government, that doesn't need to be in the public domain, whether it's vulnerability information or intelligence, and we need to strive to find a balance in those two very pressing needs. Mr. Muccia. Congressman, nothing comes to mind right away. I think in my limited world of banking supervision we've had a long history of cooperating with the Federal banking regulators, State and Federal, through our joint examination programs our joint supervision programs, so we're very used to having this close coordination and communication. Mr. Towns. Thank you very much. Mr. Parsons. Congressman, I just might add, Congress has already acted in a very beneficial way, that's the Intelligence Reform Act; working to bring down barriers between agencies that will help us to share information both among ourselves and with the private sector as well. Mr. Towns. Thank you. I yield back to the chairman. Mr. Platts. Thank you, Mr. Towns. Mr. Parsons made specific reference to the Patriot Act, intelligence reform. We're obviously dealing with the reauthorization of that and trying to strengthen some of the civil rights protections, but as I referenced to Commissioner Kelly, that information sharing, obviously, is critical to what you do within the Federal department or in sharing information with local entities like NYPD. Mr. Parsons. Yes. Mr. Platts. I want to ask Mr. Caverly, you in talking about the Infrastructure Protection Plan, that implementation going forward, how often is that coordinated plan reviewed for--in response now to Katrina and Rita, how would that process go forward? Is it a weekly review, monthly review? Is there a set approach to it or is it more just as we learn you go back and revise? Mr. Caverly. I think there are several pieces of that. There is a preparedness plan, which we've begun to work on with the department relative to the scenarios to be prepared to deal with and that's an iterative process that the Office of Preparedness will be doing. The National Infrastructure Protection Plan is still under development. We have a base plan framework that we put out an interim plan last February. The base plan will come back out for comment to the American public shortly. Then there will be individual sector plans after that. Currently the plan is for the Director to look at that annually. We may look at that cycle and say maybe a biannual review, it might be longer than that. Then ultimately the response down to Katrina and Rita were all carried out under the National Response Plan, which was an effort by the department based on congressional direction to combine a large set of Federal response plans that were not connected in a single framework. So the National Response Plan put out a year and a half ago does that and that will be a process to come back and see how well those integrated pieces work down in the southern part of the country. Mr. Platts. In developing the plans and getting feedback on how to protect the infrastructure, and today we're focused mostly on the financial sector, but another part of infrastructure is chemical facilities, chemical plants. How much outreach--I'll give you an example. I had a constituent came to me and my staff, then followed up with the department in terms of how this was being addressed. A driver for a company that does a lot of transportation of chemical, very volatile chemicals and his concern that when presented with some of these plans, the identification, confirming that he is who he's supposed to be and entitled to pick up this very volatile supply order, that it was very lax. Do you reach out within the department where actually you go to those drivers and randomly pick some; say, how do you see it? Or, how do you get feedback? Mr. Caverly. It's a couple of things. There's obviously security protection advisers located around the country going out to facilities, visiting the supply chain part of those facilities to pick up that kind of information. Across something like the chemical sector, there's a range of activities they do from something like the American Chemistry Council for the largest manufacturers that have a responsible care program for their security program, which is best practices for them. Some of the other groups do. We created a Chemical Sector Coordinating Council along the lines that we've seen in financial services for the intent of making sure that those kind of best practices, those kind of knowledges, those protected activities can be translated across a wide range of different kinds of facilities, different kinds of concerns and operational realities. I think it's a mix of the two things you identified. Mr. Platts. I would encourage that outreach in that example that the driver, his--as we're doing more background checks on the drivers so they can get their license and be approved. Say it doesn't mean a whole lot if someone bumps me off enroute, takes my spot and pulls in and they don't check to see he's not me. That type of outreach. Sometimes we look at that big picture and forget that the guys are in the front lines, get their insights which are sometimes---- Mr. Caverly. That highlights the interdependence of all of the components. It's not just a single component. It's a system of systems. Mr. Platts. It is. You have to look at the plan itself with the transportation network that's involved in distributing what that plant is manufacturing. Mr. Parsons, on the interagency capability sound practices to strengthen the resilience of the financial system 2006 timeframe we're looking at for those protocols or those practices being put in place, what's your assessment of where this industry is as being able to comply with that timeframe? Mr. Parsons. I believe the industry is well along, and I believe they will comply with deadlines that have been set. Mr. Platts. Is there any possible problems that may need to be revisited or just that are not realistic or overall, are you optimistic? Mr. Parsons. Congressman, at this point I've heard of no problems, I'm not aware of any. So we remain optimistic the goals will be met. I will take the opportunity to commend the sector because they have been extraordinary in their response to this document and they've made extraordinary investments and extraordinary progress. Mr. Platts. Great. The coordination. And Mr. Caverly this may be specific to you, the coordination, again, of information being shared here, it seems that we've seen tremendous success in the private sector and public entity in sharing information, what's happening and how we need to respond. We had a blackout in York--old York, PA, not New York--a while back and one of the issues that came to my office was there wasn't a preestablished ability of businesses to have direct access to utilities. Where all of us as residents want our refrigerators working, our lights on and air conditioners individually, but there are entities that affect a much greater population base because of the service they provide to the private sector, and so they ended up coming to me, because I had a contact through my State House days in dealing with this utility and we kind of became the conduit for information from the utility, the private sector provider and timeframe to these businesses, especially food warehouses and things, so we could decide how are we going to manage this problem long term. We became that conduit. Obviously, it would have been better if it was preestablished. What do you hear on that direct access specifically to the energy, to utilities with the financial sector in New York? Mr. Caverly. I think in New York, again, based on the history that the financial sector has had with New York, it has very good connectivity both in telecommunications and electricity. Again, unfortunately it's because they had problems in lower Manhattan historically that did in fact move this up on the many things that somebody has to consider in assigning their resources to. I think what you highlight is the need to say one size doesn't fit all here; that we need things that operate on a local level, could operate on a regional level and could operate on a national level to insure that the kinds of information that you need to continue your operation, the continuity of operations, is accessible to you. The utilities are doing a much better job in putting information now up on the web and having it accessible, but, again, if you're not used to looking for it there, it might take you some time to find that information. They understand the benefit to them of having that transparency out there and being able to get the information out, particularly in a day of 7 by 24 news coverage where, clearly, misinformation causes far more trouble frequently than not. So there is a incentive for them to provide that kind of connectivity. If you look at groups like ChicagoFIRST, if you look at the program that Commissioner Kelly talked about Apple in New York, those local activities that provide that connectivity and dedicate the time to be connected to understand where to get that information is a thing that has to happen. So I think we all have a role to play in getting to what you're suggesting, which is the ability to have the information needed to make the decisions when something happens. Mr. Platts. And that's great for a followup. When it's information from your organizations to the private sector, some of that information is very sensitive intelligence information. How do you handle or prepare for the transfer of sensitive intelligence with those receiving entities? Do they go through a certain level of personnel background checks and things that they're entitled to be privy to to what you're sharing? Mr. Caverly. Unfortunately, the system that we have for protecting that national security information never envisioned what we have now, which is part of the private sector, we have been able to through a system of security clearances, etc., create a framework in which we can get information to them. It's not as efficient as we'd like. Homeland Security Information Network, as we develop the capability and adjust the flow of information, ultimately I think will allow us to get information to the owner operators in their place of decisionmaking. Right now it's pretty awkward, because we have to bring them into a classified facility, assure they have a clearance, but one of the things we're looking at is how can I be sure I can give you quickly timely the information you need to make that decision at the place where you need to make it, because if you don't, we can't be as efficient as we want. Clearly, with the financial institutions in New York, their leadership all have security clearance. We were able to work very closely with them in sharing some of the most sensitive information last August, because we knew the need of being able to share it with them. But we were able to do that on an ad hoc basis and I think we need to move to a much more systematic capability. But it requires changing our whole framework for protecting sensitive national security information that's been in place for a long time and that takes a lot of time. Mr. Platts. In that review, that's something the department is engaged in, how it's going to try to streamline that? Mr. Caverly. How to streamline that, how to make sure the information can go to someone who has to act on it in a protected way without it becoming cumbersome for them to have to receive the information. Mr. Platts. Thank you. One final question, Mr. Muccia, that in your testimony you talked about the review of the Institution Business Continuity Plan and the importance of the board of directors' senior management being engaged in understanding and appreciating the importance of this issue. In those reviews, what is the norm? Is it the norm that the senior board members and executives understand that continuity disaster recovery is critical in today's time that we now live in? Is that the norm, or are there some that still don't get it? Mr. Muccia. Mr. Chairman, that is the norm today. I once had a mentor who told me the key to success in business was if your boss was interested in a topic, then all of a sudden you become extremely interested in that topic, and I think now the events that we've had in the past and the examination programs that we've have that really lie responsibility at the very top with the board of directors. They know that we'll be taking enforcement actions against them if they're not paying attention. They have paid attention and have pushed down that message to senior management and have held them accountable. That's where we see success. When the board is active, when the board knows the plans, when the board is monitoring the status of those plans; that's when we've had success with the institutions. We've had some smaller institutions that still have some work to do, but we are working with the institutions to make sure they get the message. Mr. Platts. I would share the message with your mentor. Those are some wise words. I learned from my mom and dad. If my mom or dad was focused on something, it was important for me to get that done. Mr. Towns, do you have any comments? Mr. Towns. I just hope my staff is listening. I do have one more question. I'd like to direct this to Mr. Scott Parsons. Treasury released a report that essentially called for the ending of the terrorism insurance backstop for insurance to provide terrorism insurance products to the marketplace. Many industry participants, including some of those before us today, have called for extending the authorization of such programs. Can you describe for us the economic incentives or barriers that are present in today's market to justify such a decision? Won't the loss of the TRIA backstop provide less incentives for insurers to private such coverage? Mr. Parsons. Congressman, I appreciate the question; appreciate the spirit of the question. My response to you is the department did issue a report and Secretary Snow has signed it and would I let that report speak for the position of the department at this point. Mr. Towns. No further comment? Mr. Parsons. No, sir. Mr. Towns. Well, I can understand the sensitivity about it, but you also need to understand our concerns. Mr. Parsons. Certainly. Mr. Towns. We'll drop it at that. Mr. Chairman, I'll close on that note, hoping, though, we could get some kind of written response from the Treasury Department, because this is something that we have people asking a lot of questions about and we can't give them the answers, so I would appreciate that, recognizing you might not be prepared to do that this morning. We look forward to getting that. Mr. Chairman. Mr. Platts. Exactly, Mr. Towns. I would suggest if the department will followup to the committee in writing, we'll keep the record open for about 2 weeks for that submission. I want to thank each of you. I did have one final question in a broad sense, because we certainly as fellow Americans are watching the devastation of the Gulf in recent weeks now with Katrina and now Rita. We also appreciate in trying to help those citizens and businesses recover the tremendous demands on the Federal, State and local private sector. You read on how that's going to impact your department and ability to continue all the other efforts that are underway in Homeland Security, at Treasury and to have your arms around the needs of the Gulf Coast, is there anything you want to make sure we're aware of that's going to be challenging for your departments? Mr. Parsons. I would just make a general comment, Mr. Chairman, which is--it has been a very taxing month, and we have worked very hard to make sure that the people who have been affected by these storms have financial services that they need to conduct their lives, and I have to tell you I have seen some extraordinary work done at all levels; at the State level, at the local level, at the Federal level, and especially the citizens and business owners who are down there. What I would just tell you is that it has opened a new set of thinking for us in terms of lessons learned, in terms of things that we think we need to be doing as a next step in preparing the financial sector, so we anticipate a real effort to get some good lessons learned out of this, but not just to have lessons learned, but to actually act on them and make sure. It's our philosophy that we need to make sure we understand what is happening and be better prepared for the next one. Mr. Caverly. I think two things. The Secretary's reorganization saw the need to insure that we had a better balance between the preparedness activities and the prevention activities and I think this highlights that and his reorganization does it. Second, I think it highlighted the changed nature of the expectation of the private sector and the government in restoring, particularly for those assets that have significant natural impacts such as the pipelines, refineries, etc. and it increases our need for information sharing, for something simple as working to make sure the aerial photography that we take very quickly after it gets to the owners and operators who don't have access to the sites they can begin their response. We can share things that historically we did not connect the two together so I think it will have that kind of practical impact. Mr. Platts. Thank you, again to each of you. We appreciate your written testimonies, your testimonies here today and each of your respective organization's work of you and your colleagues on behalf of our fellow citizens. Thank you. We'll take again a brief 2 minute recess where we'll get our third and final panel set up and reconvene shortly. [Recess.] Mr. Platts. This hearing stands back in session. We're delighted to have on our third panel some members from the private sector to share their insights. We have Katherine Allen, chief executive officer of BITS Financial Services Roundtable; Mr. Donald Donahue, chairman, Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security; Mr. Samuel Gaer, chief information officer, New York Mercantile Exchange, chief executive officer NYMEX Europe Limited; and Mr. Steve Randich, executive vice president of operations and technology and chief information officer of NASDAQ Stock Market. We appreciate each of you being here and we'll ask if you could stand and be sworn in and we'll take your testimony. [Witnesses sworn.] Mr. Platts. Thank you. The clerk will note that all witnesses affirmed the oath in the affirmative. We would again appreciate your written testimony. I call it my homework. When we were in school on a regular basis, and we had that homework. They're not the only ones to get it and the written testimony gave Congressman Towns and myself some great insights in preparation for this hearing. Again, we look forward to your oral testimony. If you could try to keep it to 5 minutes each, which will enable us to get into a Q and A with you. Mr. Towns has a time crunch, having to leave shortly before 1. Ms. Allen, if you would like to begin. STATEMENTS OF CATHERINE ALLEN, CHIEF EXECUTIVE OFFICER, BITS, THE FINANCIAL SERVICES ROUNDTABLE; DONALD DONAHUE, CHAIRMAN, FINANCIAL SERVICES SECTOR COORDINATING COUNCIL FOR CRITICAL INFRASTRUCTURE PROTECTION AND HOMELAND SECURITY; SAMUEL GAER, CHIEF INFORMATION OFFICER, NEW YORK MERCANTILE EXCHANGE, INC., CHIEF EXECUTIVE OFFICER, NYMEX EUROPE LIMITED; AND STEVE RANDICH, EXECUTIVE VICE PRESIDENT OF OPERATIONS AND TECHNOLOGY AND CHIEF INFORMATION OFFICER, THE NASDAQ STOCK MARKET, INC. STATEMENT OF CATHERINE ALLEN Ms. Allen. Thank you, Chairman Platts and Mr. Towns for the opportunity to testify today. A full version of my testimony has been submitted for the record and is here today. I'm Catherine Allen, CEO of BITS. BITS is a nonprofit industry consortium of the 100 largest financial institutions in the United States. We're a non-lobbying group, sort of a think tank for technology and operations for the CEOs of these 100 largest organizations. We serve the industry needs at the interface between commerce, technology and financial services. We're probably most well known for the best practices and guidelines that we create on behalf of the members for the industry and we share that much more broadly through the FSSCC, through other groups, to the smallest institutions to make sure that they are aware of the issues and address some of those issues. BITS and Roundtable member companies direct about $40.7 trillion in managed assets, $960 billion in revenue and 2.3 million jobs. Our activities are driven by the CEOs and the CIOs or the heads of security of these organizations. The risk managers and leaders who care for the financial services sector critical infrastructure. We also work closely with government agencies such as the Department of Homeland Security, Treasury, the Federal Reserve, the FBI and many financial regulators, technology and trade associations and vendors in achieving what we try to do. The financial services industry has always taken significant steps to prepare for and respond to major events. In fact, the financial sector is often viewed as the poster child for what needs to happen in the critical infrastructure arena, primarily because of our focus on operational, fiduciary, financial and reputational risk. Events in the past few years from September 11th to Katrina have escalated our efforts. While I believe our industry overall is better prepared than ever, there are significant risks that can only be addressed by working in partnership with others and that partnership is what I'll talk about mostly in my testimony. Financial institutions weathered Hurricane Katrina well and now Hurricane Rita and responded to customer needs quickly. They also responded well during the August 2003 power outage and the terrorist attacks on September 11th. Our sector is a favorite in terms of a target by cyber criminals as well as terrorists. Over the past 4 years the financial services sector has taken major strides to respond to the risks we face today and prepare to address future threats and vulnerabilities. Financial institutions have business continuity plans which they constantly update, refine and test. This is a regulatory requirement and part of the risk management process that all financial institutions have embraced. As financial institutions identify risks, they work to mitigate them and BITS has made coordinating financial services industry crisis management efforts a top priority. Some examples of what we've done: There have been numerous conferences and meetings to bring together leaders and experts. We developed a crisis communicator for our CEOs and crisis management coordination and security executives to get them on the phone as quickly as possible. We've helped create and drive membership in the FS-ISAC, the Information Sharing and Analysis Center; we conducted worst case scenario exercises, we've engaged in partnerships with the telecommunications sector and key software providers such as Microsoft to address our industry's business requirements. We've compiled lessons learned from September 11th and from the August 2003 blackout and Hurricane Katrina and have shared those with the industry. Most well known are our development of best practices and voluntary guidelines in everything from how you manage outsourcers to the alert levels at the Department of Homeland Security to the cross industry telecom business requirements. We're currently working on best practices with the energy industry, energy and power industries. We created a model for regional coalitions, ChicagoFIRST, and we developed liaisons and pilots with the telecommunications industry to develop the appropriate levels of diversity and redundancy. There is no true diversity and redundancy in the telecommunications system today and that was one of the things that is critical and on the top of our list. Most recently in response to Hurricane Katrina and now Hurricane Rita, BITS stepped in to help in coordinating and disseminating critical information and, again, in my longer testimony, there are examples of that. As you know, the financial institutions are heavily regulated and actively supervised by State and Federal agencies. Both have stepped up their oversight of business continuity, information security, third party service providers and critical infrastructure protection. And also the financial exchanges have added requirements in this area. Regardless of how well financial institutions respond to regulations, we simply cannot address these problems alone. Our partners in other critical industry sectors, in particular telecommunications, energy and software, must all do their fair share. In fact, we call it conducting a ``higher duty of care'' because they respond to the critical infrastructures. During the past 4 years, the FSSCC, the Financial Services Sector Coordinating Council for Critical Information Protection, has been created. BITS helped to establish that and continues to play a major role in its efforts. You'll hear more about that from Don Donahue in a few minutes. We work closely with the FSSCC under the Department of U.S. Treasury and with other departments at other government agencies. There are specific examples of cooperative efforts that BITS funded and put together and share with the industry. First of all, with the Securities Industry Association, we put together best practices and what you do at different levels of security from the Department of Homeland Security's alert levels, what you do at the various orange, red and yellow levels, we shared those throughout the critical infrastructure industries. Second, working with the U.S. Treasury, we funded or underwrote the costs for developing ChicagoFIRST so we would have a regional model and then could share that model with other member companies in other regions of the Nation. ChicagoFIRST was created to foster preparedness and recoverability of financial services in specific regions and again serves as the model for other regions. As part of BITS' work to strengthen our critical infrastructure, we also focused on the need for more diverse and resilient telecommunications services. BITS engaged with the telecommunications companies, and worked very closely with the National Communications System, an excellent group, which is now under the Department of Homeland Security and worked with them to develop the BITS Guide to Business Critical Telecommunications Services. It's a resource for outlining what financial institutions need to ask of their telecommunications partners and in my role sitting on the NRIC, which is a group of telecommunications CEOs that respond to the--that advise the Federal Communications Commission, we also provided that information into those work groups so we could exchange the dialog with the telecommunications industry about best practices. In dealing with Katrina's aftermath, you can see how important telecommunications resiliency and redundancy is. Attached to my testimony is a comprehensive overview of the contributions that BITS has made in the last 2 years and, again, shared with the entire industry. They tend to focus around a few key elements: One, improving communications during crisis; two, enhancing the resiliency of the telecommunications infrastructure; third, enhancing the reliability of the electric grid, because telecom and financial services are all dependent on that; improving the security of software, hardware and the Internet; addressing forms of online fraud and identity theft and improving oversight of third party providers. There are numerous lessons we can learn from September 11th and August 2003 and that is to be prepared and share information and view preparation from a strategic and holistic manner. Last, some of the key things I think that the Federal Government can do is focus on this need for diversity and resiliency in the telecommunications infrastructure. There may be incentives such as using the telecommunications excise tax that could be used to incent telecommunication infrastructure changes, certainly to make available more satellite and alternative channels of communication; R&D dollars allocated to telecommunications resiliency is critically important, and again I commend the National Communications System under the Department of Homeland Security and make sure that maintains its critical role. Second is the power grid must be considered among the vital critical infrastructures to make sure it works across the Nation. Here incentive dollars are needed and, as I said, BITS is working on best practices for this industry. The alternative power generation area is critically important for not just financial services, but all critical infrastructures. Third, recognize the interdependence of all critical infrastructures. You cannot make requirements of the financial sector without realizing how dependent we are on telecom and power, and in some ways on the transportation industry. BITS has worked very closely with the chemical, the telecom, the power, energy and other critical industries to share what we're doing and to share best practices with them, but again, making sure that what's of vital importance is how this interdependency is addressed from the Government level. Last, and I would say probably most importantly, all of us at BITS worry about a combined physical and cyber attack. We have not had that, but I will tell you that all of the Nation's data systems; the first responder systems, the hospital systems, the police systems, the financial systems, rely on pretty much one operating system. The need for us to make sure that our operating systems and software, our hardware and our networks are secure and that there are alternatives if they are not available is critically important and that's what we mean by the ``higher duty of care'' for providers of those services. I've attached to my testimony a document we call ``PREPARE,'' which are seven things that we believe the government can do with regard to cyber security issues and again they include everything from promoting the issues and educating the consumers and the industry to providing R&D dollars to strengthening law enforcement who address cyber security issues. One other issue and that's in response, Congressman Towns, to your question about TRIA. We think it's critically important. It's a tool that provides liquidity in the property and casualty insurance markets. Thus far, it has not cost taxpayers any money, but has resulted in the placement of a significant amount of terrorism coverage. We encourage you to reauthorize TRIA and continue with that, because it's a piece of this holistic look at terrorism. Finally, Hurricane Katrina has made poignantly clear we need to improve coordination procedures across all infrastructures and with Federal, State and local government when events occur. On behalf of both BITS and the Financial Services Roundtable, thank you for this opportunity to testify. [The prepared statement of Ms. Allen follows:] [GRAPHIC] [TIFF OMITTED] T6505.026 [GRAPHIC] [TIFF OMITTED] T6505.027 [GRAPHIC] [TIFF OMITTED] T6505.028 [GRAPHIC] [TIFF OMITTED] T6505.029 [GRAPHIC] [TIFF OMITTED] T6505.030 [GRAPHIC] [TIFF OMITTED] T6505.031 [GRAPHIC] [TIFF OMITTED] T6505.032 [GRAPHIC] [TIFF OMITTED] T6505.033 [GRAPHIC] [TIFF OMITTED] T6505.034 [GRAPHIC] [TIFF OMITTED] T6505.035 [GRAPHIC] [TIFF OMITTED] T6505.036 [GRAPHIC] [TIFF OMITTED] T6505.037 [GRAPHIC] [TIFF OMITTED] T6505.038 [GRAPHIC] [TIFF OMITTED] T6505.039 [GRAPHIC] [TIFF OMITTED] T6505.040 [GRAPHIC] [TIFF OMITTED] T6505.041 [GRAPHIC] [TIFF OMITTED] T6505.042 [GRAPHIC] [TIFF OMITTED] T6505.043 [GRAPHIC] [TIFF OMITTED] T6505.044 [GRAPHIC] [TIFF OMITTED] T6505.045 [GRAPHIC] [TIFF OMITTED] T6505.046 [GRAPHIC] [TIFF OMITTED] T6505.047 [GRAPHIC] [TIFF OMITTED] T6505.048 Mr. Platts. Thank you, Ms. Allen. Mr. Donahue. STATEMENT OF DONALD DONAHUE Mr. Donahue. Chairman Platts, Ranking Member Towns, thank you for inviting me today. As you know, I currently serve as chairman of the Financial Services Secretary for Coordinating Council for Critical Infrastructure Protection and Homeland Security. Which you've already heard referred to as the FSSCC, an industry group dedicated to infrastructure protection efforts. I'm also chief information officer of the Depository Trust and Clearing Corp., one of the key industry infrastructures. Through its subsidiaries, DTTC processes most U.S. trades and a broad range of financial assets, for example, last year clearing and settling 1.1 quadrillion worth of financial transactions. FBIIC was established by the sector in 2002. It currently has 33 members consisting of many of the key industry infrastructure organizations and trading markets and a broad array of industry trade associations representing an estimated 8,000 financial institutions. The FBIIC's mission statement states that it seeks to foster and facilitate the coordination of financial services sector-wide voluntary activities and initiatives designed to improve critical infrastructure protection and Homeland Security. As I will discuss later, FSSCC has very real achievements in realizing this mission. The foundation for FBIIC's achievements is a very effective partnership with our key Federal counterparts, most particularly our strong relationship with the Department of the Treasury. Our sector-specific agency under HSPD7, has been the essential foundation for many of the sector's accomplishments in promoting infrastructure protection. The leadership of the Treasury's Office of Critical Infrastructure Protection has been invaluable in these achievements. The sector also is forming an effective relationship with the Department of Homeland Security and will continue to work with DHS in coordination with the Treasury to support its infrastructure initiatives. We also have effectively worked with the financial regulatory bodies to help them formulate and implement appropriate regulatory standards in this area. Earlier this year FSSCC published its report, ``Protecting the U.S. Critical Financial Infrastructure: 2004 In Review,'' a copy of which was made available to your staff. Let me mention a few examples of the sector's accomplishments identified in that report. Prominent among them is promoting broad participation, broader participation in the Financial Services Information Sharing and Analysis Center, the sector's mechanism for sharing critical information about physical and cyber security threats and vulnerability. The FS ISAC reports it now has 1,749 participants plus an expanded reach through the sector's trade associations representing nearly 10,000 firms. Sector members have implemented several capabilities promoting more effective disaster recovery coordination in regions critical to financial services. You've already heard much about the example of ChicagoFIRST. Other regions have implemented similar coalitions and FBIIC and its members are working with Treasury to promote this model in other areas across the country. Third, coordinating the creation of a unified structure of emergency calls so that calls can be timed in a way to reduce conflicts and feed information into decisionmaking processes in an effective way. One of the key learnings that came out of the August 2003 blackout experience. These are a few examples of the accomplishments that the report highlights. FBIIC's own initiatives build on the very strong record of the sector generally in responding to these new infrastructure protection challenges. My own company, DTCC, for example, has put in place a far more resilient infrastructure supporting the financial markets, even though we continued to operate without interruption during the week of September 11th, completing more than $1.8 trillion worth of financial transactions that week. The industry's other core clearing and settlement organizations and the trading markets have implemented a variety of steps since September 11th to reinforce the resilience of their operations. In addition, key trading markets have thought through reciprocal arrangements to trade in other markets' financial instruments in an extreme emergency. Sector trade associations, the Financial Services Roundtable, BITS, the Futures Industry Association, the Securities Industry Association and many others have organized their members' efforts to improve resilience practices and to test those improved practices. Much detail regarding these initiatives is set forth in the 2004 annual report. Thanks to these efforts, the sector is to the point where I am very confident of our ability to operate with minimal disruption even under very severe circumstances. As successful as these programs have been, we also need to rehearse these practices to insure that they will work when needed. The sector's commitment to doing this as well has been exemplary. A notable example is the test plan for October 15th, in approximately 3 weeks, sponsored by the Futures Industry Association, the Securities Industry Association and the bond market Association. In this test more than 200 participants in the futures and securities industries will operate from their backup centers and test interaction with key markets and market infrastructures. FSSCC also is sponsoring a comparable test or considering sponsoring a comparable test on the payment systems side in 2006 and we expect to be making a decision about that reasonably soon. The financial services industry has responded strongly to the new challenge of business continuity in the post September 11th world. We have done this because of our very clear understanding that we are responsible for the financial assets of 270 million Americans and for their ability to continue to conduct their financial affairs. The people of our industry take this responsibility very seriously. This committee and the Congress can rest assured that the financial services sector is and will continue to be resilient and strongly prepared for future emergency situations. Thank you very much. [The prepared statement of Mr. Donahue follows:] [GRAPHIC] [TIFF OMITTED] T6505.049 [GRAPHIC] [TIFF OMITTED] T6505.050 [GRAPHIC] [TIFF OMITTED] T6505.051 [GRAPHIC] [TIFF OMITTED] T6505.052 [GRAPHIC] [TIFF OMITTED] T6505.053 [GRAPHIC] [TIFF OMITTED] T6505.054 [GRAPHIC] [TIFF OMITTED] T6505.055 [GRAPHIC] [TIFF OMITTED] T6505.056 [GRAPHIC] [TIFF OMITTED] T6505.057 [GRAPHIC] [TIFF OMITTED] T6505.058 [GRAPHIC] [TIFF OMITTED] T6505.059 Mr. Platts. Thank you, Mr. Donahue. Mr. Gaer. STATEMENT OF SAMUEL GAER Mr. Gaer. Good afternoon. Thank you, Chairman Platts, and Representative Towns for inviting me to participate in today's hearing. The subject matter of this hearing is of an ongoing concern and engaging these issues head-on is an important tool in a set of responsible business practices for both private industry and government alike. I sincerely welcome the opportunity to express what the New York Mercantile Exchange or NYMEX has accomplished to date. The exchange is the world's largest physical commodity futures exchange and has been an example of market integrity and price transparency throughout it's 133-year history. The Exchange also plays a vital role in the commercial, civic and cultural life in New York. It provides thousands of jobs in financial services and allied industries and through its charitable foundation supports cultural and service programs in the downtown community of New York, throughout the Tri-state area where our traders and staff live, in Washington, DC, and Houston. The business continuity planning process requires commitment from management and the ability to foresee various contingencies. Our leading role in the energy and metals markets demands we take steps to insure that our price discovery and formation mechanisms will continue to be available in the event of an emergency affecting our operations. NYMEX has a proven track record that demonstrates a dedication to insuring that we can provide our services even in the face of extreme adversity. We are not satisfied, however, to rest on successes of past performance. As such, we continually analyze and improve our business continuity plans. The Exchange's emergency preparedness may be broken down into several distinct but integrated categories. Business continuity planning, the more narrowly focused practice of recovery planning, the education of critical staff responsible for emergency preparedness and finally the Exchange's external efforts, including coordinated industry-wide testing and provide valuable feedback to government industry agencies. The Exchange's business is comprised of many different process groupings, each of which requires a particular expertise. These business units are each assigned a staff member who acts as a business continuity coordinator [BCC], whose responsibilities include assessing the critical processes and creating a workable recovery plan. The BCC is an individual with experience in the procedures of their specific business unit. Tactical decisions rest with the Emergency Operations Team, the OOT, which is comprised of BCC's and business continuity leaders. The BCL's role is to coordinate the Exchange's continuity and disaster recovery efforts, lead the EOT and report to the crisis management team. During an emergency, the high level strategic decisionmaking authority rests with the CMT, the Crisis Management Team, which is comprised of members of NYMEX board of directors, executive committee and critical senior executives. Their role is to assess the threat and if necessary provide an official declaration of disaster, communicate with members of the Exchange and coordinate with regulatory and industry agencies. The CMT is empowered by the board of directors to make critical decisions necessary in any emergency recovery effort. NYMEX's core business is commodity futures trading clearing. In order to insure the continuity of this business we have developed several alternative continuity plans. The Exchange headquarters, for instance, were designed to be as redundant as possible, including the availability of a backup generator fueled by, of all things, diesel fuel, which was critical during the September 11th terrorist attack and the blackout of August 2003. One of the first priorities for the Exchange after recovering from September 11th was to build a completely redundant replica trading facility. This facility, which was completed in January 2003 is located outside of the city and is a reasonable commute for our staff and traders. It contains fully operational trading ring, telephone work stations and space and administrative space. More importantly, it also has the ability to disseminate price data worldwide and is a completely redundant data center, housing all critical Exchange IT systems. All of our traders and key employees have been provided with directions to the site and many of our traders have participated in a mock trading simulation actually bringing them out to the site and going through an actual trading session where they exchange trades and we ran through the clearing cycle. In a situation where access to the trading facility in lower Manhattan or the backup site would not be immediately available, the Exchange also has two electronic trading systems, NYMEX Access and NYMEX ClearPort, both of which have 24-hour trading capability. In fact, we were the first Exchange in New York to open following September 11th. Although it was preferred that the trading would resume by open outcry, a preferred venue of trading, it was apparent that the quickest way to reopen markets would be through NYMEX access, despite the destruction of the proprietary communication circuits in the collapsed Twin Towers. The Exchange was the first New York financial market to reopen when the new system went live on Friday, September 14th. The initial energy and metals trading session was just 2 hours long, but the pent up demand for trading services resulted in then-record electronic volume of nearly 70,000 contracts. This volume was nearly eight times the average daily volume of regular 16-hour electronic trading session at that time. In the event of an emergency, it is necessary to have a safe and secure place for teams to assemble and manage recovery efforts and coordinate services. The Exchange maintains emergency operations centers at both primary and backup sites. Should an emergency affect the primary site only, an additional temporary location has been made available through a local community relationship. Maintaining communication is the single most important aspect of any emergency recovery effort. All aspects of our emergency operations center are choreographed by multiple communication links between resources and Exchange responders. Continuity planners must envision and plan for emergencies that disable telecommunications, utilities, transportation, other infrastructure service vendors and customers. Disaster recovery planning also specifically refers to restoring the information technologies that run our business and provide services to staff and customers. Every critical Exchange system is duplicated and can provide services in the event the main facility or system is unavailable. Data moves across redundant fiberoptic links, linking our backup site to the primary site. In addition to wide area network or WAN created between the two hot sites the exchange maintains multiple hot links to Internet service providers. The Exchange information technology systems form the underpinnings of our ability to recover the services we provide to the marketplace in a timely fashion. As new systems are developed and deployed at NYMEX fault tolerant distributive-active active and advance replication technologies are used to help insure we provide these services in the most adverse environments. In September 2004, on behalf of NYMEX, I testified before the House Financial Services Committee hearing on the emergency preparedness of the financial services sector. We have since participated in the TopOff 3 exercise sponsored by the U.S. Department of Homeland Security, which was designed to test the readiness of first responders; Federal, State and local emergency managers along with key infrastructure components such as hospitals and transportation networks. The securities industry component of the TopOff 3 exercise involved the SEC, U.S. Treasury Department, exchanges and trade associations such as the Securities Industry Association, Bond Market Association and the Futures Industry Association. In addition, in October 2004 NYMEX the MIA other leading futures exchanges and clearing firms successfully completed the first industry-wide disaster recovery test. The test scope has expanded in 2005 to include market data vendors. This industry-wide disaster recovery test has become an annual event and is scheduled for October 15th. The Exchange is among the leaders in an industry-wide initiative to standardized the protocols governing the way companies send and receive data. This will help many companies develop systems based on standardized specifications, making it easier to deploy and maintain data communications internally and externally under challenging circumstances. Another area we have taken advantage of is sharing alliances. The Financial Services Information Sharing Analysis Center, FS-ISAC, is a source of critical information ranging from information security alerts to Homeland Security threat analysis. The New York City Office of Emergency Management is another source of information for New York-based companies. This information is critical for the constant monitoring of potential disruptive events. NYMEX has a global presence. The Exchange's energy and metals futures markets provide benchmark pricing information that is used worldwide. NYMEX recently opened up an exchange in London and signed a joint venture agreement with the Dubai Development Investment Authority [DBIA]. The exchange must be cognizant of world events. NYMEX views continuity planning as an ongoing project that is necessary to meet critical business needs and it incorporated this planning into its day-to-day operations. Every project system or business process deployed incorporates some form of continuity planning. Risk and impact analysis, training, disaster recovering, testing and regular meetings with critical staff create a sense of awareness throughout the company. Business continuity planning has become part of NYMEX business fabric. We strive to learn from past experience. The September 11th terrorist attack, the 2003 blackout, our mock disaster testing and planning for the 2004 Republican National Convention, as well as the recent bombings in London which I was personally about two blocks away from, have helped us prepare for the future. This year as we were finalizing preparations for the launch of the London trading facility and during the July 7th and July 21st bombings, we activated our emergency teams as a response to that event. We are currently following important developments in the Gulf Coast region as our Nation struggles with the catastrophic damage caused by Hurricanes Katrina and Rita. As you know, there are critical delivery points for both gasoline and natural gas in that area. Government agencies are of critical importance of preparing for and providing critical support during an emergency. The relationship the Exchange has developed with government leaders has enabled us to overcome many difficult recovery challenges. In the immediate aftermath of September 11th, we received significant assistance from the Federal, State and city governments. The Exchange appreciates being invited to participate in these important discussions. Further efforts to improve communication between government and industry will only strengthen the ability of the Nation and financial markets to respond to the changes that lay at head. Large scale emergencies similar to those that have occurred in the past are inevitable. Continuity planning is not an individual task, but must be faced by all involved participants in the services sector. I would like to thank the chairman and Ranking Member Towns for holding this hearing and inviting NYMEX to discuss this extremely important topic. Thank you. [The prepared statement of Mr. Gaer follows:] [GRAPHIC] [TIFF OMITTED] T6505.060 [GRAPHIC] [TIFF OMITTED] T6505.061 [GRAPHIC] [TIFF OMITTED] T6505.062 [GRAPHIC] [TIFF OMITTED] T6505.063 [GRAPHIC] [TIFF OMITTED] T6505.064 [GRAPHIC] [TIFF OMITTED] T6505.065 [GRAPHIC] [TIFF OMITTED] T6505.066 [GRAPHIC] [TIFF OMITTED] T6505.067 [GRAPHIC] [TIFF OMITTED] T6505.068 Mr. Platts. Thank you, Mr. Gaer. Mr. Randich. STATEMENT OF STEVE RANDICH Mr. Randich. Thank you for allowing me to testify today. I'm Steve Randich. I oversee operations and technology at the NASDAQ stock market, which is the largest equities market in the world. It's always been a priority at NASDAQ to maintain a hardened resilient operation that can withstand catastrophic events. A few principles I want to communicate today is that NASDAQ for a very long time has viewed business continuity and disaster recovery as a top priority. We've had a backup data center in a remote geographic location for 20 years. Second, exchanges in the United States are evolving toward an electronic trading model and this will naturally enhance the capital markets' ability to withstand catastrophic events. Last, business continuity planning is a collective effort. A stock market alone does not represent our capital markets. Instead, it is only as good as its weakest link. Our operating model provides a natural business continuity advantage. Historically, an exchange operated at a central physical location where buyers and sellers would meet face-to- face to trade. A single central location without a practical and tested capability of backup puts our Nation's capital markets at risk. Trading at NASDAQ is executed through our sophisticated computer and telecommunications network. Unlike physical floor-based exchanges which employ a specialist to direct buying and selling of a stock, NASDAQ's open architecture structure utilizes hundreds of geographically diverse and competing market makers who simultaneously provide trading liquidity for stocks listed on the market. This insures not only healthy competition for investors, but, more importantly, prevents a single point of failure given the geographic diversity of these market makers. NASDAQ was prepared for and fully resilient operationally to September 11th and the blackout of August 2003. Geography is critical to our operation resiliency. We have two data centers that are more than 300 miles apart. They are located in different geologic and climactic zones and are in different regional power grids outside of metropolitan areas. We store enough fuel onsite to allow us to run our data center for a full week during an extended power outage without a refill. We also maintain 185 tons of batteries for additional backup. We test each of our generators weekly and perform a utility failure test across the entire infrastructure every quarter. In addition to geographic diversity, we also use locally situated systems and networks to achieve resiliency. Several network providers are utilized, each with network diversity conductivity into our two data centers. Market participants are insured maximum protection by employing diverse access to both our primary and backup data center at all times. At no time during the week of September 11th were NASDAQ systems inoperative. When the attacks occurred, trading was suspended, but NASDAQ's systems and network continued to operate. We focused on insuring connectivity to our market participants who provide liquidity to our marketplace. Although actual stock trading was suspended, our systems operated continuously throughout the week. Notwithstanding the success after September 11th NASDAQ implemented improvements to our backup system. We added more frequent testing to our backup site and began regularly testing full market-wide disaster recovery tests that are open to all market participants. In collaboration with State and Federal authorities, we evaluated and increased our physical security. Although large portions of the northeastern United States were out of business during the blackout of August 2003, NASDAQ maintained full operations throughout that 2-day period. Our alternative power systems automatically provided immediate continuity so that there was no impact. However, the blackout revealed some areas of weakness in the financial sector that required vigilant attention. There's a need for more backup facilities outside of high risk metro areas like New York. Although most large market participants and telecommunications providers had backup systems and procedures in place, they didn't all work as expected. There were several examples of backup generators that failed within 12 hours of the blackout, largely because of either poor fuel quality or machine maintenance. Looking forward, and since September 11th, NASDAQ has worked closely in participation with the Federal Government and private sector to strengthen the resiliency of our infrastructure. We now have a contingency plan that provides NASDAQ the ability to trade all New York Stock Exchange stocks if its trading floor becomes inoperative for an extended period of time. Nearly 18 percent of the daily NYSE volume already trades electronically on the NASDAQ network, so this contingency trading plan is in effect tested daily. In conclusion, NASDAQ is continually anticipating, evaluating, preparing for what may occur 1 day. Our preparedness will never be 100 percent perfect as we're limited by our human imagination of what might occur. Our increasingly decentralized, geographically diverse operating model continues to provide us with a high degree of confidence that we will be prepared for the next event. As I said earlier, the industry is rapidly moving toward electronically trading, which is very good news for resiliency. With electronic trading, an exchange no longer needs to be tied to a single location. Effective backup and redundancy is the key to security against any form of accident or attack and essential for our financial national security. For financial markets we believe this is the core lesson of September 11th and the blackout. For the committee and all concerned branches of government, we believe it is a crucial lesson as well. Thank you for the opportunity to testify today. [The prepared statement of Mr. Randich follows:] [GRAPHIC] [TIFF OMITTED] T6505.069 [GRAPHIC] [TIFF OMITTED] T6505.070 [GRAPHIC] [TIFF OMITTED] T6505.071 [GRAPHIC] [TIFF OMITTED] T6505.072 [GRAPHIC] [TIFF OMITTED] T6505.073 [GRAPHIC] [TIFF OMITTED] T6505.074 [GRAPHIC] [TIFF OMITTED] T6505.075 [GRAPHIC] [TIFF OMITTED] T6505.076 [GRAPHIC] [TIFF OMITTED] T6505.077 [GRAPHIC] [TIFF OMITTED] T6505.078 [GRAPHIC] [TIFF OMITTED] T6505.079 [GRAPHIC] [TIFF OMITTED] T6505.080 Mr. Platts. Thank you, Mr. Randich. Again, to all of you, appreciate your testimonies. Maybe a broad question to each of you, just in dealing with the Federal Government in your respective organizations and members; infrastructure, critical infrastructure protection, what do you see as the greatest hurdle in dealing with preparedness and is there any specific statutory changes you believe need to be made to allow better cooperation, interaction with the Federal Government? If anyone would like to---- Mr. Donahue. I'll start. Mr. Chairman, I certainly could not recommend any statutory changes, although some of my co- panelists may have ideas. I think we, as you unquestionably heard this morning in the testimony, the financial sector is very, very proud of what they have accomplished in this space and I think rightfully so. There has been a lot of energy devoted to this. You asked earlier about the state of compliance with respect to the sound practices paper. All of our organizations have met their deliverables by this time. The significant firms in the paper are all well on track to meeting the deliverables by 2006. I think our interaction with Government in support of those objectives has been very positive. I think a question that looms on the horizon is, speaking personally, how much is too much and how much do you achieve agreement in the public and private sectors about the degree to which resource investments yet need to be made in financial services to achieve levels of resilience beyond where we're at at this point, and making sure that we all have a very reasonable sort of judgment. If we can arrive at a reasonable judgment on that question is going to be a key issue as we go forward. Mr. Platts. Cost benefit analysis---- Mr. Donahue. Very, very much so. Again, you heard from all the remarks people were making, that there have been a significant investments by a number of the industry infrastructure members and a number of individual firms, and making sure any additional adjustments we're asked to make by the benefits we're going to derive from them is a critical issue going forward. Mr. Platts. Ms. Allen. Ms. Allen. I would say the two areas I would like to see the government spend much more time focusing on is the interdependency area to understand how dependent we are on these other critical sectors, and how much our regulators can require us to do something. We cannot do it if the telecom, power industry and IT industries are not there, and we must place the focus on cyber security. Second, I don't know if there are statutory changes needed, but an example would be antitrust exemption. BITS has a product certification program. It's a voluntary testing program by vendors, software vendors, to meet minimum security requirements. They overwhelmingly tell us, ``We really aren't going to do it unless we're mandated to do it.'' BITS cannot mandate because of antitrust concerns. So, look at how do we as an industry or even critical infrastructure industries set standards for cyber security. Another thing is, again, incentives for the telecommunications infrastructure to have alternative telecommunications systems, but also to provide this diversity of redundancy that we need. Then last, I think the concept of funding regionals was brought up. If there were some kind of seed money that would help, we would--let's put it this way, it would happen much faster, if there were some seed money for the critical areas. We could all sit here and name who were the 10 to 15 critical geographic areas and there were some seed money. There's a model, there's some support, but it does take money, it takes some coordination to implement. Mr. Gaer. I would actually echo some of the statements made regarding to--our experience regarding government involvement with disaster recovery business continuity has been a very positive one, in the fact that we're regulated by CFTC is our primary regulator. I took this job beginning in March 2003 and we were planning for a lot of these industry-wide events that were going to occur because the exchanges all got together, at least in the futures industry the exchanges all got together and said what do we have to do to make this work a little bit better. It was very refreshing to see representatives from the CFTC attend these meetings and say, listen, we're going to let industry drive this process, we're going to let industry drive the process, we're going to stand back and watch and see how you're doing it. We don't want to have to step in, so please manage this correctly. From all accounts, from everything you've heard today, I think the financial services industry as a whole has been managing it very well. Interaction with government has been on a very open basis, our access to things like GETS cards for critical personnel to use, Government Employee Telecommunication Service, I think it's called? Government Emergency Telecommunication Services. NYNEX's interaction with the OEM for events such as Hurricane Isabelle of last year, where we're invited to come and join in government and to work together in partnership with government, but it's very clear from our experience, our industry-wide test, the blackout of 2003 that industry is going to drive the acceptance and industry is going to drive basically the ultimate result of any disaster recovery model. Mr. Randich. Briefly, having worked in a number of industries, I find it amazing how this particular industry is so self reliant and motivated in this regard, which is a good thing. So in that area, I really don't see any need for any specific legislation, only facilitation of policymaking that encourages technological innovation and solution in the area of business continuity and disaster recovery. Mr. Platts. Thank you, and I think this industry has gotten the American way of what do we need to do and how do we need to do it and let's get it done. I think that's been reflected in all our accounts today, the aggressive nature. That being said, I think one of the challenges for the industry, I think everybody has touched on it in some way today, is the interdependence of your industry with these other critical infrastructures; telecommunications, power, transportation, you name it. What would be your read on your interactions with these other sectors, if you want to pick power specifically, communication, and how they're responding and I think it was, Mr. Randich, in your testimony, about how they have onsite generators for a week's worth of power, fuel, if we had here in your facility like in New Orleans, where not only it's going to be well over a week before power will be restored, it's going to be months to some of those areas, and even inability to get transportation in because of the amount of damage that was done, how is the energy industry responding to having an ability to be redundant in their provision of services as best possible to your needs, again, not just energy, any of the infrastructure industry that we depend on. Mr. Randich. In all cases, the answer is never going to be perfectly. However, we all have choices that we make in the marketplace. We decided where we want to put our data centers. We decide who we're going to buy fuel from. We decide who is going to be our network provider and our power provider and we make those choices, so there's some vendor diversity, as well as we pick partners that have proven to be reliable over time. So I very much believe that the free enterprise economics and decisionmaking over time converge on the best solution for the markets that eventually prevail. Mr. Platts. As much as possible, again, market-driven solutions. Mr. Randich. Market-driven solutions. Mr. Platts. Ms. Allen. Ms. Allen. I would add that the telecommunications industry has been very helpful. Much of that from the work of Duane Ackerman, who chairs the NSTAC, the President's Advisory Council. In the private sector, CEOs and CIOs from the telecommunication sector work closely with us on that. It has come less from the government other than the NCC. The telecommunications, the best practices we're working on there, includes how many days of backup fuel you need to have, what are the transportation sources for that. That is, again, a private sector-led effort. It's not to say that the Department of Energy and others aren't doing things in this critical infrastructure area, but it tends to be more focused just on the industry, less on the interdependency issues. Mr. Platts. OK. How about in the sharing of information through the ISAC process and how that's working and specifically with financial sector, you're read on where we are and where we could go to insure that's effective in its intent? Mr. Donahue. I think the sharing of information for the ISAC has been very successful to the extent it's reached. We're building the interstate highway at this point, and we are building a communications infrastructure that can get information out to members of the sector. We, obviously, have some distance to go in terms of adding end points to that network, but I believe that has been very successful and I think the ISAC membership is finding it very useful to get the alerts and the information that comes to them through that channel. I think Jim Caverly in the earlier panel put his finger on where this needs to evolve, which is the development of more formal procedures for information coming from the private sector to DHS, to Treasury in its role as sector specific agency about where we believe vulnerabilities continue to exist. Involving the private sector picture, conversely, of opening channels information from government in terms of threat information, in terms of more sensitive information of where clearance is possibly going to have to be obtained in order to be able to do that. That's the area that needs work and experimentation. Mr. Platts. That was actually one of my specific questions, because in your testimony you talk about the importance of communications and information, but what's your read on that access to sensitive information, whether security clearance is being required? Sounds like we have a ways to go in allowing that to be a more seamless automatic process. Mr. Donahue. I don't think anyone is comfortable with the state that has reached. DHS and Treasury both working together did sponsor members of the FSSCC for clearances at the secret level, which has been very helpful. I think there have been instances where information could be discussed on conference calls where we knew everyone on the call had a particular clearance and therefore they were somewhat more free to discuss matters, but it's clear that we don't understand who all needs to have access to the information, how do you sanitize information so that you can be conveying it to people who aren't necessarily cleared. I mean, all of those issues still have to be explored. DHS approached the FSSCC in I would say late spring and asked for our agreement to work with them on the development of an information sharing pilot that would sort of go to the next generation of an information sharing methodology between the government and the private sector. We have agreed with them to go forward with that and I think Katrina and Rita have intervened to sort of put that on the back burner for the moment, but I'm sure that will be something they return to in the fall. Mr. Platts. The interaction I guess between the private sector and the government, what is specifically in New York, if there is a major incident, what's the process of structures in place for yourself, your organization or members as far as being in touch with the New York City emergency response office, the NYPD? Is that a very formalized structure that you have a contact, people that you go to, and if one of the things that's down is communications, how do you make that contact, even if you have the right person to be in touch with? Mr. Gaer. For us, our proximity is probably one of our biggest assets in that situation. We have both formal and informal ways that we communicate with government here in the city as well as regional and national government. We're briefed on an ad hoc basis as far as threats and threat levels, especially ones that are germane to the financial services area. I think it was about a year or so ago when there were threats against Merrill Lynch and I think it was Prudential in Newark, where we were advised of these threats ahead of time and we were able to harden beforehand. We interact with local law enforcement, the Joint Terrorism Task Force, very well, as a matter of fact, sometimes to almost the shock of visitors who come to our facility in the rigorous amount of security that's around the building and how they have to get into the building, they're very, very shocked and then later impressed at how secure we keep the building. But the communication between ourselves and between government, again, it's formal and's informal on an as-needed basis. I have a list of contacts, our president, our chairman, the crisis management team can get in touch with people at their homes on their cell phones or what have you, so it's been a very post September 11th, it's been a very kind of open cooperative environment. Mr. Donahue. A number of the infrastructures in New York, you mentioned that you have a seat at the OEM, others do as well. In the event of an emergency in this city, we know that our people are supposed to go to OEM. Security Industries Association has a seat, my organization has a seat, the Exchange's technology arm has a seat. People know they're supposed to immediately go there so they can be part of that centralized communication. You mentioned GETS cards earlier, there has been a fairly wide distribution of GETS card within the financial infrastructure in the country, certainly in New York, so people have the ability to communicate if any telecommunications are available they get priority. The city has implemented a corporate emergency access system where we have cards that will give us access to no-go zones, for example, as I'm sure you know. Post September 11th, south of Canal Street people were not allowed to come for the first few days. This program would allow us to get people into our facilities and get things working, even though it might be in an area ruled not open to the public. So there are a number of steps the city has taken to improve communication and coordination that way. Mr. Randich. That privileged physical access is a huge improvement since September 11th. Mr. Platts. Is it fair to say with the physical access or the seat at the table with OEM, that this is since September 11th, this is lessons learned and then since the blackout to keep kind of honing each incident and get a little better? Mr. Gaer. Yes. Mr. Donahue. Absolutely. Ms. Allen. Those are lessons that have gone to the original coalition, ChicagoFIRST and other models as well. Mr. Platts. Your work with the creation of ChicagoFIRST really was a lot of that was derived from New York, we were talking earlier---- Ms. Allen. Right, the lessons learned from September 11th and we spent time with the OEM of New York because New York was actually ahead of all other regions and we used their model and shared back with them what we had developed on the regional model. Mr. Platts. Thank you. Mr. Donahue, in your testimony you talked about participating in the TopOff 3 drill. I'm sorry, Mr. Gaer, sorry. And you referenced that and all the different participants. What I was curious, your read on how successful the exercise was from the standpoint of, again, lessons learned and what would work or not, and how you responded to the exercise in implementing the lessons learned. Mr. Gaer. I think you can only judge how successful an exercise is by its objectives and I think for these particular tests the objectives being that you had so many participants from diverse areas, you couldn't really go through every permutation of everything, so to speak, that's going to happen. We actually judged it from our point of view to be very encouraging, to have been very successful. Where we are right now is honing in on our industry-wide disaster recovery test, although it's not going to include the telecom sector per se or the power sector per se. We're really working in our industry to get it right in our industry first and our first test last year was a very kind of bland, basic test which was very successful and it actually exceeded people's expectations and there was a lot of discussion prior where you get everybody on board as to when you can do it and what are we going to do and what are we going to run through and it turned out that people were more prepared than we thought they were going to be. For the TopOff, the interaction between ourselves and the various other industries and agencies I thought went very well. Certainly in every exercise there are areas where you need improvement and again I would probably highlight, as other members of the panel have, the improvements between the telecom sector and financial services sector would probably be something we should concentrate on. Mr. Platts. A followup to that, Mr. Donahue, was the coming exercise October 15th that you reference in your testimony. Could you walk me through what's going to happen there and what involvement, because you reference sponsors and the various institutions that are going to participate, the involvement of any Federal agencies that will be participating or just kind of watching, taking in that exercise? Mr. Donahue. I think, first of all, what will happen on the 15th is 200-plus firms are going to, there are essentially two tests occurring that day concurrently, the Futures Industry Association is doing its second iteration of its industry-wide test. The securities industry and Bond Market Association are coordinating a test for their members on the cash side, which is the first time that piece of the securities industry has conducted such a test and essentially, what will happen is that each of the participants in the test will go to their backup data center locations and their back up business process center locations and seek to establish connectivity with key industry infrastructures, DTTC being one, the New York Stock Exchange being another. Steve, I don't know if NASDAQ is participating, but NASDAQ would be another infrastructure that they are, I'm assuming you are, and that would be another infrastructure that they connect to. Establish connectivity and run a few transactions through. We're not going to try to simulate a day's activity or anything like that, but run transactions through so make sure you can get transactions to the trading facility, for example, and then you can get feedback from the trading facility acknowledging receipt of the order, acknowledging execution of the order, whatever it may be, so you can function on your backup if you need to in the light of an emergency take place. Mr. Platts. Is FCC or Treasury going to be in any way participating or watching how it goes? Mr. Donahue. They will be getting a report on the test results after the fact. At this point it is essentially, this is the model the industry followed in preparation for Y2K. We conducted tests that we had organized and we implemented. We were reporting to our regulatory agencies, to Treasury as well in this instance, how that it proceeded, because it's clearly of interest to them, but it's not something they would have direct involvement in on the actual day of the event. Mr. Platts. I think another good example of the private sector not waiting for government to say, hey, do this, but responding appropriately to being well prepared. Mr. Randich, in your testimony you went through in detail some of your security preparations from buffer zones around the data center, fingerprinting policy for employees and contractors. A pretty extensive range of security measures. What would be your assessment on how common that is in the financial sector, whether it be specifically here in New York or a broader sense nationally. Mr. Randich. Significantly more so than it was in September 11th, just being in the business and having to go visit our customers and peers. It's like going through the airport several times a day, so that's very good news. The one area I think is important to note kind of where it's limited and where it would be important to improve, one of the advantages we have is that our two data centers are located in corporate parks, remote areas in one case, even beyond the suburbs. That basically allows us to, where the single owner tenant of the facility gives us 100 percent control over the security and the infrastructure and sometimes I feel that organizations that have their critical assets in a multi-tenant high-rise in the metro area don't have the level of control that they might need. Mr. Platts. Again, in any urban setting your ability to have that, proximity of other buildings, even if it's your own building is a lot more challenging in an urban setting. Mr. Randich. Very much. Mr. Platts. Would any of you like to comment on that issue of the breadth or depth of security in the private sector? Mr. Gaer. I actually could and I'd like to put a little bit of a twist on it in that yes, security, at least from the Exchange level, we have as members virtually every investment bank, large trading house, etc., they're members of ours and we're kind of this hub, or a utility for liquidity and price formation, so we need to take extra steps to be as secure with our--in our physical as well as our virtual presence. But what I'm seeing, what I've seen personally from being in Europe and being in London in particular, London has definitely tightened up security post what they call 7/7, but I will tell you that the security that you find, especially here in the New York metro area is light years ahead of what is happening outside the United States and that's important to us for reasons of cyber security, which I believe is probably going to be one of the next great frontiers that we are all going to have to tackle as an industry in our DR testing. Mr. Platts. I think that interdependence with cyber security, because you can harden a facility, but you could be on the other side of the world and depending on the cyber security protections out there, they can still do great harm, and that's come to light in some of the recent reports on China and some of their--at least what appears to be concerted Government efforts on an incredible scale to break into sensitive data bases in the United States, not just government offices. So that challenge is one that is global and what happens elsewhere is going to impact us. Is there an interaction with those European markets and what we are doing here in New York? We talked a lot about sharing of best practices here, how much of that is occurring international? Mr. Gaer. I can only speak from our industry and I would have to say very little as far as an international effort, I would say very little. Mr. Donahue. Depends on the level that you're talking about. At the infrastructure level, it's quite a bit. Swift is the international payments messaging network, our counterparts in Europe, Euroclear and Clear Stream are the two securities depositories over there. There are very definitely interactions in those core organizations and what's the best practices we participate in Swift committee, we meet with Euroclear and exchange business continuity standards very regularly. Once you go beyond the infrastructure, I would agree completely that different firms are not necessarily coordinating the way that we're seeing here in the States. Ms. Allen. We have some BITS members at the Canadian Bankers Association and APACS, which is the payment system in the UK. We've shared best practices with the Japanese, with the Australians with the OECD countries, but it's nothing formal. Mr. Randich. We've hosted walk-throughs of our data center many, many times. We're continually doing it, and it's interesting, not much European interest, but we've had the South Americans, the Asians and even the Middle Eastern and Indian markets come take a look. Mr. Platts. The hope certainly is that as we are in a global economy, that is everywhere and that the lessons being learned here and especially as I've heard loud and clear, the efforts in the Greater New York area really setting a great high standard, high bar for the rest of the country and the world, and the lessons learned now being in Chicago and looking to regionalize elsewhere around the country and ultimately around the world is going to be so important. Mr. Towns apparently wanted, and he had to leave for another engagement and apologizes that he couldn't stay through your whole participation, but on technology, as technology continues to advance every day, the ability to insure the security of those technological advances, and do you think our technology sector is doing enough to provide security day one when these new products are hitting the market, software and hardware as well, or do we need to take a closer look at what they're putting on the market from a security standpoint? Ms. Allen. I would say there's improvement, and certainly we are working very closely with the largest provider of operating systems and software. We have a set of business requirements and a work plan with them to meet some of the business requirements we have, but it's a longer term process, because you have to change the culture of the United States, actually all of the software industry, in how it's developed, which has been to get it out there fast and let us be the Beta tests for them. Today we've got to look at those same providers of technology, whether it's the software, the infrastructure, the systems, to really test code much more rigorously, to develop code much more rigorously, to do the testing and to have the safeguards before they bring a product to market. That's that ``higher duty of care''--in particular, if it's a provider where they have a dominant share of the market for the infrastructure industries. So I think there does need to be more attention from not only the private sector, but also the government on this area and I think your question is correct. We have to look at this globally, because these players are global players, they're global players and it's going to be-- Microsoft tells us that the time between a vulnerability and exploitation of that vulnerability is getting down to seconds now. There's no way you can physically patch all the problems there so it means you've got to change the way you look at technology. Mr. Randich. I think they're coming along slowly. It used to be a product would differentiate itself from the market with function, price, ease of use. Security has clearly been elevated as a measure of decisionmaking factor in the choice. But by no means should any of us believe you could buy security off the shelf. At the end of the day we have to take responsibility for it by choosing the best, most progressive solution members and tying the loose ends ourselves. Mr. Platts. Again, kind of where we started with questions in that American way of partners between public private sector and individual responsibility and in the end doing what you can. I want to thank each of you and I wanted to give each of you, if there's anything you think you didn't get to highlight or want to touch on to reaffirm, to give you the opportunity before we close. Ms. Allen. I want to thank you for holding this hearing. We feel the more that Members of Congress understand the issues from the private sector perspective, the better it is. We would be happy to educate others in any way we can. Mr. Platts. We've been happy to have the hearings and have your participation as well as the other panelists earlier and it is a great educational process for Mr. Towns, myself and our committee staff and then having that as a resource beyond just our committee, to do a full committee with the other Members. We're on the same team. We are all part of a functioning economy in coordination, and the financial sector in New York especially, and ultimately receive quality for it. Please, each of you, don't hesitate to call on us for things you want to share as we move forward in a month or year or whatever that you think we should be aware of. We're always glad to have that feedback so we can partner well with the private sector in what we're doing in Washington. We will keep the hearing record open for 2 weeks if there's anything from this panel or previous panels to submit for the record. Again, we thank each of you and wish you and your organization and members great success in your efforts, and this hearing stands adjourned. [Whereupon, at 1:19 p.m., the subcommittee was adjourned.] <all>